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“Sensitive  But  Unclassified”lnformation  and  Other 
Controls:  Policy  and  Options  for  Scientific  and 
Technical  Information 


Summary 

Providing  access  to  scientific  and  technical  information  (S&T)  for  legitimate 
uses  while  protecting  it  from  potential  terrorists  poses  difficult  policy  choices. 
Federally  funded,  extramural  academic  research  is  to  be  “classified”  if  it  poses  a 
security  threat;  otherwise,  it  is  to  be  “unrestricted.”  Since  the  September  11,  2001 
terrorist  attacks,  controls  increasingly  have  been  placed  on  some  unclassified 
research  and  S&T  information,  including  that  used  to  inform  decision  making  and 
citizen  oversight.  These  controls  include  “sensitive  but  unclassified”  (SBU)  labels; 
restrictive  contract  clauses;  visa  controls;  controlled  laboratories;  and  wider  legal 
restrictions  on  access  to  some  federal  biological,  transportation,  critical 
infrastructure,  geospatial,  environmental  impact,  and  nuclear  information.  Some 
professional  groups  have  supported  voluntary  controls  on  the  conduct  or  publication 
of  sensitive  research.  Federal  agencies  do  not  have  uniform  definitions  of  SBU  or 
consistent  policies  to  safeguard  or  release  it,  raising  questions  about  how  to  identify 
SBU  information,  especially  S&T  information;  how  to  keep  it  from  terrorists,  while 
allowing  access  for  those  who  need  to  use  it;  and  how  to  develop  uniform 
nondisclosure  policies  and  penalties.  On  December  16,  2005,  President  Bush 
instructed  federal  agencies  to  standardize  procedures  to  designate,  mark,  and  handle 
SBU  information,  and  to  forward  recommendations  for  government- wide  standards 
to  the  Director  of  National  Intelligence  (DNI).  The  Information  Sharing 
Environment  Implementation  Plan,  sent  to  Congress  in  November  2006,  reports  that 
final  action  will  occur  during  the  1st  quarter  of  CY2006. 

Following  the  2001  terrorist  attacks,  the  Bush  Administration  issued  guidance 
that  reversed  the  Clinton  Administration’s  “presumption  of  disclosure”  approach  to 
releasing  information  under  Freedom  of  Information  Act  (FOIA)  and  cautioned 
agencies  to  consider  withholding  SBU  information  if  there  was  a  “sound  legal  basis” 
to  do  so.  Some  agencies  contend  that  SBU  information  is  exempt  from  disclosure 
under  FOIA,  even  though  such  information  per  se  is  not  exempt  under  FOIA.  The 
2002  enactment  of  the  Federal  Information  Security  Management  Act  (FISMA) 
rendered  moot  the  definition  of  SBU  that  some  agencies  had  used  since  the  passage 
of  the  Computer  Security  Act  of  1987,  which  identified  sensitive  information  by 
content.  FISMA  requires  agencies  to  categorize  the  criticality  and  sensitivity  of  all 
information  according  to  the  security  control  objectives  of  confidentiality,  integrity, 
and  availability  across  a  range  of  risk  levels  and  to  use  safeguards  based  on  risk  of 
release.  Many  federal  agencies  have  not  yet  fully  implemented  these  new  procedures. 
During  the  109th  Congress,  P.L.  109-90  and  P.L.  109-295  focused  on  management, 
oversight,  and  appropriate  use  of  the  sensitive  security  information  (SSI)  category. 
Legislative  proposals  focused  on  standardizing  concepts  of  “sensitive”  information; 
modifying  penalties  for  disclosure;  and  clarifying  FOIA.  During  the  1 10th  Congress, 
additional  topics  likely  to  be  controversial  include  limiting  the  number  of  persons 
who  can  designate  SBU;  widening  the  use  of  risk-based  approaches  to  control; 
centralizing  review,  handling,  and  appeals;  and  evaluating  the  impact  of  federal 
policies  on  nongovernmental  professional  groups’  prepublication  review  and  self¬ 
policing  of  sensitive  research.  This  report  will  be  updated  as  necessary. 
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“Sensitive  But  Unclassifiecflnformation  and 
Other  Controls:  Policy  and  Options  for 
Scientific  and  Technical  Information 

Introduction  to  the  Issues 

Federal  agencies  have  long  confronted  the  need  to  balance  the  release  of 
information  for  public  use  with  the  need  to  withhold  information  that  could  be  used 
to  threaten  privacy  or  security.  The  term  “sensitive  but  unclassified”  (SBU) 
information  was  used  before  the  terrorist  attacks  of  September  1 1 , 200 1 ,  even  though 
there  is  no  statutory  definition  for  it.  Since  9/11  more  agencies  have  started  to  use 
the  term  “SBU,”  or  some  variant  of  it,  and  to  implement  security  systems  to  identify 
and  protect  nonclassified  information  whose  release  might  benefit  terrorists.  Many 
questions  have  been  raised  about  how  to  design  uniform  policies  and  controls  for 
SBU  information.  This  report  focuses  on  controls  for  two  kinds  of  scientific  and 
technical  information  —  information  used  in  research  and  scientific  publication  and 
information  used  to  serve  broader  public  policy  purposes,  such  as  in  regulatory 
decisionmaking  and  citizen  oversight.  Both  public  and  privately  controlled 
information  are  included  and  in  some  respects,  private  professional  groups’  responses 
are  being  defined  by  public  pressures  and  decisions. 

Two  divergent  perspectives  are  discernable.  From  one  perspective,  broadening 
controls  to  deny  public  access  to  federal  SBU  information  will  constrain  terrorists, 
who  might  use  it  to  threaten  buildings,  infrastructure,  people,  and  services.  It  has 
been  estimated  that  “our  adversaries  derive  up  to  80%  of  their  intelligence  from 
open-source  information.”1  Another  source  put  this  at  90%,  referring  to  information 
about  local  energy  infrastructures,  water  reservoirs,  dams,  highly  enriched  uranium 
storage  sites,  and  nuclear  and  gas  facilities.  Moreover,  some  say  that  the  potential 
for  terrorism  is  heightened  if  terrorists  can  aggregate  seemingly  innocuous  bits  of 
public  information.2  Although  many  agencies  have  begun  to  limit  public  access  to 
sensitive  information,  from  this  perspective,  these  efforts  are  inadequate. 

In  contrast  to  those  who  seek  to  widen  controls,  another  view  contends  that 
inadequate  and  insufficient  sharing  of  information  with  the  public  and  among  first 
responders  potentially  weakens  efforts  to  protect  the  nation  from  terrorist  attacks.  A 
related  perspective  is  that  as  government  policy  on  sharing  information  shifts  to  the 


1  In  a  document  issued  by  the  Pacific  Northwest  National  Laboratory,  a  Department  of 
Energy  affiliated  national  laboratory,  in  “F.A.Q.  Mozart,”  at  [http://www.pnl.gov/isrc 
/mozart/faq.html], 

2  Greg  Griffin,  “Program  Management  Perspective:  Sensitive  Unclassified  Information,”  The 
Dragon  ’s  Breath,  April  2003. 
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“need  to  know”  rationale  that  has  become  more  prevalent  since  the  9/11  terrorist 
attacks,  the  imposition  of  more  controls  will  deny  ordinary  citizens  information 
relating  to  research,  environmental  protection,  transportation,  and  so  forth  that  they 
need  in  order  to  be  informed3  and  to  hold  accountable  government  and  industry 
decisionmakers.  Some  say  new  control  policies  unduly  limit  access  to  information 
needed  to  advance  the  progress  of  science  and  technology  and  the  development  of 
technologies  to  counter  threats,  arguing  that  if  scientific  and  technical  information 
needs  to  be  restricted,  it  should  be  classified. 

This  report  traces  the  evolution  of  SBU-related  controls;  summarizes  actions 
taken  to  protect  certain  types  of  scientific  and  technical  information;  describes 
critiques  of  some  control  policies;  and  summarizes  proposals  and  actions,  including 
congressional,  executive  and  other  initiatives,  to  clarify  these  issues  and  develop 
policies  that  serve  various  stakeholders.  It  also  raises  issues  that  may  warrant  further 
attention.4 


Summary  of  Federal  Policies  to  Classify  or  Control 
Scientific  and  Technical  Information 

Generally,  pursuant  to  National  Security  Decision  Directive  189  (NSDD-189), 
fundamental  (basic  or  applied)  research  conducted  in  universities  is  not  to  be  labeled 
“classified”  if  does  not  affect  national  security;  it  is  therefore  “unrestricted.”5 
Nevertheless,  as  one  commentator  noted,  “[T]he  federal  government  seems  to 


3  The  Final  Report  of  the  National  Commission  on  Terrorist  Attacks  Upon  the  United  States, 
July  22,  2004,  (also  called  The  9/11  Commission  Report )  encouraged  the  promotion  of  a 
“need-  to-share”  culture,  as  opposed  to  a  “need-to-know”  culture  of  information  protection, 
focusing  on  the  development  of  a  “trusted  information  network”  to  make  information  more 
accessible.  (Available  at  [http://www.9-llcommission.gov/report/911Report.pdf].) 

4  This  report  updates  CRS  Report  RL31845,  “Sensitive  But  Unclassified”  and  Other- 
Federal  Security  Controls  on  Scientific  and  Technical  Information:  History  and  Current 
Controversy ,  by  Genevieve  J.  Knezo,  which  described  the  history  of  governmental  controls 
on  “sensitive  unclassified  information.” 

5  National  Security  Decision  Directive-189  (NSDD-189),  titled  “National  Policy  on  the 
Transfer  of  Scientific,  Technical  and  Engineering  Information”  and  issued  on  Sept.  21, 
1985,  says  that  if  federally  funded  basic  scientific  and  technical  information  produced  at 
colleges,  universities  and  laboratories  is  to  be  controlled  for  national  security  reasons,  it 
should  be  classified.  But,  “...  to  the  maximum  extent  possible,  the  products  of  fundamental 
research  remain  unrestricted.  It  is  also  the  policy . . .  that,  where  the  national  security  requires 
control,  the  mechanism  for  control  of  information  generated  during  Federally  funded 
fundamental  research  in  science,  technology,  and  engineering  at  colleges,  universities,  and 
laboratories  is  classification.”  “Fundamental  research”  is  defined  as  "basic  and  applied 
research  in  science  and  engineering,  the  results  of  which  ordinarily  are  published  and  shared 
broadly  within  the  scientific  community....”  This  policy  is  reflected  in  Executive  Order 
12958.  NSDD-189  is  still  in  effect,  as  stated  in  a  letter  from  the  National  Security  Advisor 
to  the  Center  for  Strategic  and  International  Studies  (Issued  by  National  Security  Advisor 
Condoleezza  Rice  on  November  1,  2001). 
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possess  wide  latitude  in  declaring  information,  even  purely  scientific  research, 
classified  or  at  least  sensitive  to  prevent  publication.”6 

Policies  for  Classification  of  Research  Information 

If  research  does  compromise  national  security,  it  may  be  classified  pursuant  to 
Executive  Order  12958  and  Executive  Order  13292  —  the  latter  of  which  expanded 
the  government’s  ability  to  classify  some  scientific  and  technical  information  to 
include  information  related  to  “defense  against  transnational  terrorism”  (Section  1.4 
of  Executive  Order  13292). 7  During  2001  and  2002,  the  heads  of  several  federal 
agencies  with  substantial  research  responsibilities,  who  did  not  have  classification 
authority  under  Executive  Order  12958,  were  given  original  classification  authority. 
These  included  the  Secretaries  of  Health  and  Human  Services8  and  of  Agriculture,9 
the  Administrator  of  the  Environmental  Protection  Agency  (EPA),10  and  the  Director 
of  the  White  House  Office  of  Science  and  Technology  Policy  (OSTP)."  Also, 
pursuant  to  Executive  Order  12958,  federally  funded  researchers  at  any  research¬ 
performing  institution,  including  universities  and  colleges,  are  obligated  to  report  to 
the  government  information  that  they  produce  that  should  be  classified. 12  In  addition, 


6  Alexander  J.  Breeding,  Sensitive  But  Unclassified  Information:  A  Threat  to  Physical 
Security,  SANS  Institute,  2003,  p.  24. 

7  Executive  Order  12958,  Apr.  17,  1995  ( Federal  Register,  60  FR  19825),  permitted 
classification  of  “scientific,  technological,  or  economic  matters  relating  to  the  national 
security”  (Sec.  1.5).  But  Section  1.8  (b)  prohibited  classification  of  “basic  scientific 
research  information  not  related  to  the  national  security.”  Executive  Order  13292,  Mar.  25, 
2003,  changed  section  1.5  of  Executive  Order  12958  to  permit  classification  of  “scientific, 
technological,  or  economic  matters  relating  to  the  national  security,  which  includes  defense 
against  transnational  terrorism”  (Sec.  1.4  (e)  of  Executive  Order  13292,  Federal  Register, 
Mar.  25,  2003).  The  amendment  also  added  a  new  category  of  information,  concerning 
“weapons  of  mass  destruction,”  which  may  be  classified  (Sec.  1 .4  (h)).  The  exemption  for 
basic  scientific  research  not  clearly  related  to  national  security  remains  (new  Section  1 .7). 

8  “Order  of  December  10,  2001  —  Designation  Under  Executive  Order  12958,  Federal 
Register,  Dec.  12,  2001,  Vol.  66,  No.  239,  pp.  64345-64347. 

9  “Order  of  September  26,  2002  —  Designation  Under  Executive  Order  12958,”  Federal 
Register,  Sept.  30,  2002,  Vol.  67,  No.  189,  pp.  61463-61465. 

10  “Order  of  May  6, 2002  —  Designation  Under  Executive  Order  12958,”  Federal  Register, 
May  9,  2002,  Vol.  67,  No.  90,  p.  31109. 

11  “Order  of  September  17,  2003  —  Designation  Under  Executive  Order  12958,”  Federal 
Register ,  Sept.  17,  2003,  Vol.  68,  No.  184,  p.  55257. 

12  “Most  government  grants  for  unclassified  technical  activity  specify  that  if  the  grantee 
believes  the  results  of  the  work  warrant  classification,  the  grantee  has  the  responsibility  to 
limit  the  dissemination  of  that  work  and  to  contact  the  appropriate  U.S.  government  agency 
with  the  authority  to  classify  it.  In  such  extraordinary  cases,  the  initiative  to  seek 
classification  rests  with  the  grantee,  not  the  government”  ( Security  Controls  on  Scientific 
Information  and  the  Conduct  of  Scientific  Research:  A  White  Paper  of  the  Commission  on 
Scientific  Communication  and  National  Security,  Washington,  D.C.,  Center  for  Strategic 
and  International  Studies,  June  2005,  pp.  5-6).  For  instance,  according  to  section  850  of  the 
current  version  of  the  NSF  Grant  Policy  Manual,  NSF-02-151,  July  2002,  “Some  basic 

(continued...) 
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the  government  may  exercise  prepublication  reviews  on  some  R&D  information,13 
and  by  writing  into  contracts  control  clauses  for  SBU  or  classified  information. 
Some  R&D  information  is  “bom  classified,”  according  to  the  Atomic  Energy  Act  of 
1 946 . 14  In  addition,  pursuant  to  the  Information  Security  Act  of  1 95 1 ,  certain  patent 
information  may  be  classified  if  release  would  harm  national  security.15 

Controls  on  Nonclassified  Academic  and  Industrial  Research 

Academic  and  industrial  researchers  are  also  subject  to  sensitive  information 
controls  for  nonclassified  information.  Some  of  these  are  voluntary  and  self-imposed 
by  researchers  or  professional  societies  and  publishers.  For  instance,  in  the  early 
1940s  basic  physics  research  in  fission  was  voluntarily  withheld  from  publication  by 
a  leading  journal.  Physical  Review ,  because  of  fears  that  publication  of  research 


12  (...continued) 

research  information  concerning,  among  other  things,  scientific,  technological  or  economic 
matters  relating  to  the  national  security  or  cryptology  may  require  classification.  There  may 
be  cases  when  an  NSF  grantee  originates  information  during  the  course  of  an  NSF-supported 
project  that  the  grantee  believes  requires  classification  under  E.O.  12958.  In  such  a  case, 
the  grantee  has  the  responsibility  to  promptly  1 .  Submit  the  information  directly  to  the 
government  agency  with  appropriate  subject  matter  interest  and  classification  authority  or, 
if  uncertain  as  to  which  agency  should  receive  the  information,  to  the  Director  of  the 
Information  Security  Oversight  Office,  GSA;  2.  Protect  the  information  as  though  it  were 
classified  until  the  grantee  is  informed  that  the  information  does  not  require  classification, 
but  not  longer  than  30  days  after  receipt  by  the  agency  with  subject  matter  interest  or  by  the 
GSA;  and  3.  Notify  the  appropriate  NSF  program  Officer.”  The  authority  has  to  decide 
within  30  days  whether  to  classify  the  information,  and  if  it  requires  classification,  the 
“performing  organization  may  wish  or  need  to  discontinue  the  project.”  Dissemination  of 
findings  may  also  be  controlled. 

13  The  federal  government  exercises  “prepublication  review”  of  some  privately  published 
scientific  and  technical  information  by  current  and  former  employees  and  contractors  who 
worked  for  federal  agencies  and  who  had  access  to  classified  information.  The  Defense 
Department  (DOD)  typically  includes  “prepublication  review”  clauses  in  government 
contracts  for  extramural  research.  These  controls  are  used  if  classified  information  was  used 
in  research  or  when  the  government  seeks  to  prohibit  release  of  information  deemed 
sensitive  because  of  the  way  it  is  aggregated.  Beginning  in  1980,  all  academic  cryptography 
research  is  to  be  submitted  on  a  voluntary  basis  for  pre-publication  review  to  the  National 
Security  Agency.  The  U.S.  government  may  enter  into  contracts  to  purchase  exclusive 
rights  to  commercial  satellite  imagery  and  may  stop  the  collection  and  dissemination  of 
commercial  satellite  imagery  for  national  security  reasons.  (For  additional  information,  see 
CRS  Report  RL31845,  op.  cit.  and  CSIS,  Security  Controls  on  Scientific  Information,  June 
2005,  op.  cit.,  pp.  13-14.) 

14  See  CRS  Report  RL31845,  op.  cit. 

15  Pursuant  to  35  U.S.C.  181-188.  See  CRS  Report  RL31845  for  additional  information. 
According  to  OMBWcitch’s  report,  Secrecy  Report  Card  2005:  Quantitative  Indicators  of 
Secrecy  in  the  Federal  Government,  a  report  by  Open  the  Government.Org.  Americans  for 
Less  Secrecy,  More  Democracy,  Washington,  D.C.,  2005,  the  number  of  secrecy  orders 
imposed  on  new  patents  rose  from  83  in  2001  to  124  in  2004,  and  the  number  of  secrecy 
orders  in  effect  increased  from  4,736  in  2001  to  4,885  in  2004  (p.  5)  However,  it  is  likely 
that  most  of  these  were  recommended  by,  and  issued  to,  federal  agencies  for  their  own 
government-owned  technical  information. 
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results  would  benefit  German  atomic  energy  research.  After  the  war  ended  the 
results  were  published.  However,  reportedly,  foreign  scientists,  especially  Soviet 
scientists,  deduced  that  the  absence  of  research  publications  on  the  topic  meant  that 
Americans  “were  pursuing  an  atomic  bomb”  and  started  their  own  inquiries  on  this 
subject.16  More  recently,  some  researchers  have  initiated  voluntary  controls  on  the 
conduct  and/or  publication  of  sensitive  research  in  biological  sciences  fields  that 
might  assist  terrorists.  (For  additional  details,  see  the  section  below  entitled 
“Controls  on  Unclassified  Biological  Research  Information.”)  In  addition,  the 
directors  of  the  Department  of  Homeland  Security’s  (DHS)  six  academic  centers  of 
excellence  have  developed  draft  guidelines  “to  control  the  dissemination  of  sensitive 
information  generated  by  their  research”17  —  which  is  in  the  fields  of  agricultural, 
chemical,  biological,  nuclear  and  radiological,  cyber  terrorism,  and  the  behavioral 
aspects  of  terrorism. 

There  are  also  formal  government-mandated  controls.  For  instance,  pursuant 
to  sections  3235  and  3295(c)  of  the  National  Defense  Authorization  Act  for 
FY2000,1S  the  Department  of  Energy  (DOE)  released  regulations,  effective  August 
18,  2006,  that  require  all  users  of  DOE  computers,  including  persons  who  e-mail  a 
DOE  computer,  to  give  the  department  written  permission  for  investigators  to  check 
any  DOE  computer  accessed  by  that  person  for  up  to  three  years  in  the  future.  The 
regulation  applies  to  all  information,  including  classified  and  sensitive  but 
unclassified,  and  other  types.19  Reportedly,  the  required  paperwork  might  prove  to 
be  costly  to  some  researchers.20 

The  federal  government  also  mandates  controls  on  contract  research.  For 
instance,  the  issue  of  federal  agency  research  contracts  with  universities  imposing 
prepublication  review  clauses  was  addressed  in  an  April  2004  report,  Restrictions  on 
Research  Awards:  Troublesome  Clauses,  released  by  the  Association  of  American 
Universities,  in  cooperation  with  the  Council  on  Government  Relations.  It  detailed 
138  instances  of  restrictions  placed  on  publications  or  other  prohibitions  on  foreign 
nationals  as  preconditions  for  receiving  research  awards.  The  report  opposed  the 
practice,  recommended  that  federal  agencies  adhere  to  the  mandates  of  NSDD-189, 
and  concluded  that  governmental  restrictions  were  not  compatible  with  university 
research. 

Export  and  Visa  Controls.  Export  control  regulations  generally  do  not 
apply  to  the  conduct  of  fundamental  research  as  long  as  it  is  ordinarily  published  and 
shared  broadly  within  the  scientific  community.  However,  export  control  regulations 
and  International  Traffic  in  Arms  Control  regulations  (ITAR)  permit  the  government 


16  Chelsa  Wald,  “Landmarks:  The  Physical  Review’s  Explosive  Secret, ”Oct.  26,  2004. 

17  Yudhijit  Bhattacharjee,  “Scientific  Openness;  Should  Academics  Self-Censor  Their 
Findings  on  Terrorism?,”  Science,  May  19,  2006,  993-994. 

18  50  U.S.C.  2425,  2483(c). 

19  “Computer  Security;  Access  to  Information  on  Department  of  Energy  Computers  and 
Computer  Systems,”  Final  Rule,  Federal  Register ,  July  19,  2006,  pp.  40880-40866. 

20  Yudhijit  Bhattacharjee,  “DOE  Tightens  Monitoring  of  Lab  Collaborators,”  Science,  Sept. 

1,  2006,  p.  1218. 
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to  require  licensing  for  the  export,  or  “deemed  export,”  of  certain  scientific  and 
technical  information  to  specific  foreign  countries  or  citizens  of  those  countries 
working  in  the  United  States21  on  university  campuses  or  in  industrial  laboratories. 
During  2004  and  2005,  considerable  controversy  arose22  over  the  publication  of  two 
Inspector  General  reports,23  one  from  the  Department  of  Defense  (DOD)  and  the 
other  from  the  Department  of  Commerce  (DOC).  They  proposed  strict  adherence  to 
government  interpretations  that,  even  if  the  research  being  conducted  is  fundamental. 


21  Both  the  Export  Administration  Act  (50  U.S.C.  App.  2401-2420)  (6)  and  the  Arms  Export 
Control  Act  (22  U.S.C.  2751-2794)  provide  authority  to  control  the  dissemination  to  foreign 
nationals,  both  in  the  United  States  and  abroad,  of  scientific  and  technical  data  related  to 
items  requiring  export  licenses  according  to  the  Export  Administration  Regulations  (EAR) 
or  the  International  Traffic  in  Arms  Regulations  (ITAR).  Both  laws  give  agencies  authority 
to  regulate  the  export  of  technical  data.  ITAR  controls  the  release  of  defense  articles 
specified  on  the  U.S.  Munitions  List  (22  CFR  121)  and  technical  data  directly  related  to 
them.  EAR,  among  other  things,  controls  the  export  of  dual-use  items  (items  that  have  both 
civilian  and  military  uses)  on  the  Department  of  Commerce  Control  List  (15  CFR  Part  774) 
and  technical  data  related  to  them.  The  implementing  regulations  are  administered  by  the 
Department  of  Commerce,  which  licenses  items  subject  to  EAR,  and  by  the  Department  of 
State,  which  licenses  items  subject  to  ITAR  and  the  Munitions  List  of  items.  Fundamental 
research,  but  not  all  activities  related  to  the  conduct  of  such  research,  is  excluded  from 
ITAR  and  EAR.  ITAR  generally  treats  the  disclosure  or  transfer  of  technical  data  to  a 
foreign  national,  whether  in  the  United  States  or  abroad,  as  an  export.  According  to  ITAR 
regulations,  publicly  available  scientific  and  technical  information  and  academic  exchanges 
and  information  presented  at  scientific  meetings  are  not  treated  as  controlled  technical  data. 
Nevertheless,  there  has  been  considerable  ambiguity  and  confusion  regarding  these 
provisions  because  of  uncertainties  about  which  research  projects  might  not  be  excluded 
because  they  use  space  or  defense  articles,  technologies,  and  defense  services  on  the 
Munitions  List  that  is  used  to  identify  technologies  requiring  export  licensing.  The  Export 
Administration  regulations  categorize  as  “deemed  exports”  communications  both  to  foreign 
nationals  about  technologies  characterized  as  “sensitive”  and  to  countries  identified  as 
“sensitive”  under  EAR  rules.  Under  language  in  a  rule  issued  in  March  2002,  the  State 
Department  exempted  U.S.  universities  from  obtaining  ITAR  licenses  for  export  of  certain 
space-based  fundamental  research  information  or  articles  in  the  public  domain  to  certain 
universities  and  research  centers  in  countries  that  are  members  of  the  North  Atlantic  Treaty 
Organization  (NATO),  the  European  Union,  and  the  European  Space  Agency,  or  to  major 
non-NATO  allies,  such  as  Japan  and  Israel.  Also  to  be  permitted  are  exports  of  certain 
services  and  unclassified  technical  data  for  assembly  of  products  into  scientific,  research, 
or  experimental  satellites.  In  addition,  collaborators  in  approved  countries  would  have  to 
guarantee  that  researchers  from  non-approved  countries  were  not  receiving  restricted 
information.  (For  sources  and  additional  information,  see  CRS  Report  RL31845,  op.  cit.) 
GAO  critiqued  the  procedures  DOC  and  DOD  use  to  identify  and  implement  export  control 
decisions  in:  two  recent  reports,  DOD’s  Critical  Technologies  Lists  Rarely  Inform  Export 
Controls  and  Other  Policy  Decisions,  July  2006,  GAO-06-793  and  Improvements  to 
Commerce’ s  Dual-Use  Sy stem  Needed  to  Ensure  Protection  of  U.S.  Interests  in  the  Post- 
9/11  Environment,  June  2006,  GAO-06-638. 

22  “Controls  on  ‘Deemed  Export’  May  Threaten  Research,”  Secrecy  News,  May  2,  2005. 

23  U.S.  Department  of  Commerce,  Office  of  Inspector  General,  Bureau  of  Industry  and 
Security,  Deemed  Export  Con  trols  May  Not  Stop  the  Transfer  of  Sensitive  Technology  to 
Foreign  Nationals  in  the  U.S.,  Fined  Inspection  Report  No.  OPE-16176,  March  2004,  54  p. 
In  teragency  Review  of  Foreign  Nationals  Access  to  Export-Controlled  Technology  in  the 
United  States,  Vol.  1,  April  2004,  Report  D-20004-062,  33  p. 
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the  operation,  technical  training,  installation,  maintenance,  repair,  overhaul,  or 
refurbishing  of  commercially  available  equipment  used  in  the  research  is  a  “deemed 
export”  that  requires  an  export  license  for  certain  foreign  researchers.  This  would  be 
for  equipment  as  common  as  fermenters  and  global  positioning  system  (GPS) 
locators  and  would  apply  to  students  from  China,  Russia,  India,  and  other  countries 
on  lists  of  countries  that  pose  national  security  threats.  In  a  notice  of  a  proposed  rule 
published  in  the  Federal  Register  on  March  28,  2005, 24  the  DOC  recommended  that 
country  of  birth  rather  than  of  citizenship  or  permanent  residence  be  used  as  the 
criterion  for  determining  nationality  for  deemed  export  controls.  DOD’s  proposed 
rules,  which  would  require  badging,  training,  and  segregated  work  areas  for  eligible 
researchers  and  exclusion  of  others,  were  published  in  July  2005,  when  the  comment 
period  began.25 

Subsequently,  some  university  officials  argued  that  expanded  interpretations  of 
rules  for  “deemed  export”  licenses  may  be  unnecessary.26  Other  members  of  the 
academic  community  cite  problems  in  administering  use  controls,  including 
ambiguity  about  identifying  which  equipment  or  material  in  university  laboratories 
is  subject  to  export  controls;  discrimination  on  the  basis  of  nationality;  difficulty  in 
controlling  access  of  students  and  researchers  in  university  laboratories;  time  required 
to  obtain  licenses  and  inflexibility  in  obtaining  licenses;27  modest  security  benefits; 
slowing  or  preventing  important  discoveries  due  to  licensing  delays;  loss  of  research 
talent  if  students  and  researchers  study  in  other  countries;  and  reduction  in  research 
at  the  leading  edge  of  science. 

The  three  presidents  of  the  National  Academies  [of  Science,  Engineering,  and 
the  Institute  of  Medicine]  opposed  such  controls  in  a  letter  to  DOC  Secretary  Carlos 
M.  Guitierrez,  June  16,  2005,  and  made  several  recommendations,  including  the 
proposal  to  “[c]lear  international  students  and  postdoctoral  fellows  for  access  to 
controlled  equipment  when  their  visas  are  issued  or  shortly  thereafter  so  that  their 
admission  to  a  university  academic  program  is  coupled  with  their  access  to  use  of 
export  controlled  equipment.”  One  policy  group  recommended  an  alternative 
approach:  to  require  a  deemed  export  license  for  “transfers  of  technology  to 
specifically  identified  individuals  if  specific  adverse  information  exists  about  that 


24  “Revision  and  Clarification  of  Deemed  Export  Related  Regulatory 
Requirements, ’’Advanced  Notice  of  Proposed  Rulemaking,  Federal  Register ,  Mar.  28, 2005, 
vol.  70,  no.  58,  pp.  15607-15609. 

25  “Defense  Federal  Acquisition  Regulation  Supplement:  Export-Controlled  Information  and 
Technology,  Proposed  Rule  With  Request  for  Comments,  Federal  Register,  July  12,  2005, 
vol.  70,  no.  132,  p.  39977. 

26  Security  Controls  on  Scientific  Information ,  June  2005,  op.  cit.,  p.  7. 

27  For  instance,  see  rationale  detailed  in  CSIS,  Security  Controls  on  Scientific  Information, 
June  2005,  op.  cit.  pp.  9-12,  and  American  Civil  Liberties  Union,  Science  Under  Siege:  The 
Bush  Administration  ’s  Assault  on  Academic  Freedom  and  Scientific  Inquiry,  Written  by 
Tania  Simoncelli  with  Jay  Stanley,  June  2005,  35  p.,  which  also  summarizes  reports  and  the 
views  of  the  academic  community,  pp.  9-13. 
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individual.”28  In  a  2005  report  prepared  at  congressional  request,  a  National 
Academies  panel  recommended  providing  all  foreign  students  and  researchers 
engaged  in  fundamental  research  with  access  comparable  to  that  provided  to  U.S. 
citizens  and  permanent  residents  and  to  remove  .  all  technology  items  (information 
and  equipment)  from  the  deemed-export  technology  lists  that  are  available  for 
purchase  on  the  overseas  open  market  from  foreign  or  US  companies  or  that  have 
manuals  that  are  available  in  the  public  domain,  in  libraries,  over  the  Internet,  or  from 
manufacturers.”29  The  National  Foreign  Trade  Council  and  other  related  technology 
groups  also  have  opposed  these  rules.30  Others  charge  universities  would  have  to  pay 
“...  millions  of  dollars  to  inventory  sensitive  equipment,  determine  students’ 
birthplaces  and  study  which  foreigners  were  using  which  machines.”31 

In  January  2006,  a  DOC  spokesman  said  that  because  of  comments  received  on 
the  proposed  rule,  DOC  would  modify  its  procedure  and  base  controls  not  on  country 
of  birth,  but  on  a  foreign  national’s  most  recent  country  of  citizenship  or  permanent 
residency.32  DOC  also  established  a  committee  to  examine  its  rules  further.33 
Responding  to  complaints  received  during  the  comment  period,  DOD  modified  its 
proposed  rules  with  a  new  proposal  published  on  August  14,  200634  that  said  it 
would  withdraw  the  prescriptive  identification  requirements  proposed  in  July,  but 
would  continue  to  require  researchers  to  adhere  to  existing  export  control  rules  of  the 
Commerce  and  State  Departments.  Final  comments  were  due  by  October  13,  2006. 

As  for  other  controls  to  deter  terrorism,  more  governmental  scrutiny  has  been 
used  to  review  and  issue  visas  for  foreign  researchers  and  students,  and  more  items 


28  CSIS,  Security  Controls  on  Scientific  Information,  June  2005,  op.  cit ,  p.  12. 

29  The  National  Academies,  Rising  Above  the  Gathering  Storm:  Energizing  and  Employing 
America  for  a  Brighter  Economic  Future,  Executive  Summary,  2005,  p.  6.  See  also  reports 
of  NAS  workshops  in  May  and  Sept.  2005,  Eugene  Russo,  “DoD  Export  Controls  Rule 
Should  Not  Apply  to  Fundamental  Research,  Officials  Say,”  Research  Policy  Alert,  Sept. 
23,  2005;  “National  Academies,  Societies  Criticize  on  DoD’s  Proposed  Export  Control 
Rule,”  Research  Policy  Alert,  Oct.  18,  2005. 

30  Danielle  Belopotosky,  “Techies  Challenge  Planned  Changes  On  ‘Deemed  Exports,”’ 
Technology  Daily,  June  24,  2005. 

31  Scott  Shane.  “Universities  Say  New  Rules  Could  Hurt  U.S.  Research,”  New  York  Times, 
Nov.  26,  2005. 

32  Statement  of  Peter  Lichtenbaum,  Assistant  Secretary  of  Commerce  for  Export 
Adminstration  at  a  conference  at  the  National  Academies  at  which  the  author  of  this  report 
was  present.  See  also  Kelly  Field,  “Commerce  Department  Will  Drop  Some  But  Not  All 
Restrictions  on  Foreign  Researchers,  Colleges  Are  Told,”  Chronicle  of  Higher  Education, 
Jan.  17, 2006.  The  official  announcement  is  “Revisions  and  Clarification  of  Deemed  Export 
Related  Regulatory  Requirements,”  Federal  Register,  May  31,  2006,  vol.  71,  no.  104,  pp. 
30840-30844. 

33  Jeffrey  Brainard,  “Defense  Department  Shelves  Proposal  to  Increase  Restrictions  on 
Foreign  Students,”  Chronicle  of  Higher  Education,  Aug.  15,  2006. 

34  “Defense  Federal  Acquisition  Regulation  Supplement;  Export-Controlled  Information  and 
Technology  (DFARS  Case  2004  —  D010),”  Federal  Register,  vol.  71,  No.  156,  Aug.  14, 
2006,  pp.  46434-46441. 
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have  been  placed  on  the  Technology  Alert  List  (TAL),  which  is  now  classified.  The 
State  Department  uses  the  TAL  to  identify  academic  and  technical  subjects  that  are 
viewed  as  sensitive;  foreign  students  proposing  to  study  these  subject  undergo  extra 
visa  scrutiny  under  the  Visas  Mantis  program.35  The  State  Department  also  has 
tightened  entry/exit  registration  of  foreign  students  and  scholars  and  tracks  their 
activities  in  an  effort  to  deter  terrorism.  These  actions  may  have  prohibited  the  entry 
of  potential  terrorists,  but  some  critics  allege  that  they  have  reduced  the  number  of 
foreign  students  studying  science  and  technology  in  the  United  States36  and  increased 
the  number  of  foreign  students  studying  in  other  countries.37  This,  they  say,  portends 
not  only  erosion  of  the  U.S.  market  share  of  worldwide  Higher  education,  but  also 
a  reduction  in  the  number  of  new  U.S.  scientific  and  technical  personnel.33 

In  2004,  the  federal  government  proposed  rules  declaring  that  American 
scientists  could  not  collaborate  with,  and  American  publishers  could  not  edit  works 
authored  by,  scientists  in  nations  that  are  targets  of  trade  embargoes,  including  Iran, 
Sudan,  Libya,  Cuba,  and  North  Korea.  Most  scientific  societies  opposed  these 
proposals39  on  the  grounds  that  they  reduced  the  intellectual  freedom  of  those  in  other 
countries  and  hampered  international  science.  Subsequently,  the  administering 
agency,  the  U.S.  Treasury  Department’s  Office  of  Foreign  Assets  Control  (OFAC), 
decided  to  permit  editing  and  peer  review,  but  continued  to  prohibit  collaboration 
between  U.S.  scholars  and  researchers  in  a  sanctioned  country.40 


Policies  To  Control  SBU  Information 

The  history  through  2002  of  using  the  label  SBU  was  described  in  detail  in  CRS 
Report  RL3 1 845  and  is  summarized  briefly  in  this  section,  which  also  updates  action 
through  February  15,  2006. 


35  Science  Under  Siege,  op.  cit.,  pp.  14-15. 

36  Molly  Laas,  “Senate  Science  Committee  to  Consider  Easing  Immigration  For  Foreign 
Students,”  Research  Policy  Alert,  Nov.  21,  2005;  Marjorie  J.  Censer,  “Visa  Problems  May 
Damage  U.S.  Science,  Groups  Warn,”  American  Association  of  University  Professors, 
Sept. /Oct.  2004.  See  also:  U.S.  GAO,  Border  Security:  Streamlined  Visas  Mantis  Program 
Has  Lowered  Burden  on  Foreign  Science  Students  and  Scholars,  but  Further  Refinements 
Needed,  GAO-05- 198,  Feb.  2005. 

37  Science  Under  Siege,  op.  cit.,  pp.  1 6-20  and  Alison  Abbott,  “Europe  Revamps  Visa  Rules 
to  Attract  World’s  Best  Minds,”  Nature,  Oct.  27,  2005.  See  also  American  Association  of 
University  Professors,  Report  by  Special  Committee  on  Academic  Freedom  and  National 
Security  in  a  Time  of  Crisis,  Nov./Dec.  2003. 

38  See,  for  example,  “Difficulties  for  Foreign  Scientists  in  Coming  to  the  United  States,” 
Science,  July  14,  2006,  p.  169. 

39  One  that  did  not  is  the  American  Institute  of  Aeronautics  and  Astronautics.  See  Yudhijit 
Bhattacharjee,  “Society  Bars  Papers  From  Iranian  Authors,”  Science,  June  17,  2005. 

40  Science  Under  Siege,  op.  cit.,  pp.  10-11,  and  Yudhijit  Bhattacharjee,  “Scientific 
Publishing:  Editing  No  Longer  Infringes  U.S.  Trade  Sanctions,”  Science,  Dec.  24,  2004. 
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Introduction  to  the  Term  “SBU” 

Federal  agencies  began  to  use  the  term  “SBU”  in  the  1970s,41  but  the  term  has 
never  been  defined  in  statutory  law.  Starting  in  1987  and  continuing  today,  when 
using  the  term  “sensitive  information,”  some  agencies  refer  to  the  definition  for 
sensitive  information  that  was  used  in  the  Computer  Security  Act  of  1987,  P.L.  100- 
235, 42  and  to  information  exempt  from  disclosure  in  the  Freedom  of  Information  Act 
(FOIA)43  and  the  Privacy  Act,  as  amended.44 

Computer  Security  Act  Definition  of  “Sensitive” 

The  Computer  Security  Act  of  1987  (CSA)  was  intended  to  protect  the  security 
and  privacy  of  sensitive  unclassified  information  in  federal  computer  systems  and  the 
systems  themselves.  P.L.  100-235  defined  the  term  “sensitive”  information  as 

any  information,  the  loss,  misuse,  or  unauthorized  access  to  or  modification  of 
which  could  adversely  affect  the  national  interest  or  the  conduct  of  Federal 
programs,  or  the  privacy  to  which  individuals  are  entitled  under  section  552a  of 
title  5,  United  States  Code  (the  Privacy  Act),  but  which  has  not  been  specifically 
authorized  under  criteria  established  by  an  Executive  order  or  an  Act  of  Congress 
to  be  kept  secret  in  the  interest  of  national  defense  or  foreign  policy”  (Section  3). 

Because  P.L.  100-235  applied  to  “sensitive  information”  that  was  not  classified, 
some  say  it  defined  “sensitive  but  unclassified.”  Pursuant  to  the  CSA,  federal 
agencies  were  responsible  for  protecting  such  “sensitive”  information  and  for 
developing  plans  to  secure  it  “commensurate  with  the  risk  and  magnitude  of  the  harm 
resulting  from  the  loss,  misuse,  or  unauthorized  access  to  or  modification  of  the 
information  being  protected.”45  The  CSA,  among  other  things,  required  agencies  to 
develop  security  plans  for  systems  containing  sensitive  information.  It  authorized  the 
National  Bureau  of  Standards  (NBS),  now  called  the  National  Institute  of  Standards 
and  Technology  (NIST),  to  create  a  security-oriented  standards  program.  The 
definition  of  “sensitive  information”  was  placed  within  the  section  that  listed  NBS  ’  s 
functions,  and  subsequently  NIST  became  responsible  when  the  agency’s  name  was 
changed  in  1988.  In  1992,  NIST  issued  guidance  giving  agencies  authority  to 
implement  risk-based  procedures  to  protect  sensitive  information  pursuant  to  P.L. 
100-235.  NIST  reiterated  that  “[interpretation  of  the  CSA’s  definition  of  sensitive 
is,  ultimately,  an  agency  responsibility.”  It  identified  three  security  goals: 

Typically,  protecting  sensitive  information  means  providing  for  one  or  more  of 
the  following:  Confidentiality :  disclosure  of  the  information  must  be  restricted 
to  designated  parties;  Integrity :  The  information  must  be  protected  from  errors 


41  Interview  with  CRS  specialist  Harold  Relyea,  December  2005. 

42  101  Stat.  1724-1730,  40  U.S.C  1441. 

43  5  U.S.C.  552,  as  amended  by  P.L.  104-231,  HO  Stat.  3048. 

44  The  Privacy  Act  of  1974,  5  U.S.C.  Section  552a  ,  as  amended. 

45  U.S.  Congress,  House,  Committee  on  Science  and  Technology,  Computer  Security  Act  of 
1987,  Report  to  Accompany  H.R.  145,  June  11,  1987,  pp.  30-31. 
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or  unauthorized  modification;  Availability.  The  information  must  be  available 
within  some  given  time  frame  (i.e.,  protected  against  destruction). ”46[Emphasis 
added.] 

Although  it  was  not  mandatory,  NIST  urged  agency  information  owners  to  use  a  risk- 
based  approach  to  identify  information  to  be  protected  and  controls  needed  based  on 
risk  of  loss: 

The  type  and  amount  of  protection  needed  depends  on  the  nature  of  the 
information  and  the  environment  in  which  it  is  processed.  The  controls  to  be 
used  will  depend  on  the  risk  and  magnitude  of  the  harm  resulting  from  the  loss, 
misuse,  or  unauthorized  access  to  or  modification  of  the  information  contained 
in  the  system.47 

SBU  in  Relation  to  the  Freedom  of  Information  Act 

Predating  the  CSA,  the  Freedom  of  Information  Act  of  1966  (FOIA)  was 
enacted  to  ensure  public  access  to  certain  types  of  information  held  by  federal 
agencies.  However,  it  permits  agencies  to  exempt  from  public  disclosure  nine  types 
of  information: 

(1)  information  classified  in  the  interest  of  national  defense  or  foreign  policy, 

(2)  internal  personnel  rules  and  practices  of  an  agency, 

(3)  information  specifically  exempted  from  disclosure  by  statute, 

(4)  trade  secrets  and  commercial  or  financial  information  obtained  from  a  person 
and  privileged  or  confidential, 

(5)  inter-agency  or  intra-agency  memoranda  or  letters  reflecting  predecisional 
attitudes, 

(6)  personnel  and  medical  files  and  similar  files  the  disclosure  of  which  would 
constitute  a  clearly  unwarranted  invasion  of  personal  privacy, 

(7)  specified  types  of  law  enforcement  records  or  information, 

(8)  financial  institution  regulation  or  supervision  reports,  and 

(9)  geological  and  geophysical  information  and  data  concerning  wells.48 


46  National  Institute  of  Standards  and  Technology,  “Advising  Users  on  Computer  System 
Technology,”  CSL  Bulletin,  Nov.  1992  [http://nsi.org/Library/Compsec/sensitiv.txt], 

47  “Advising  Users  on  Computer  System  Technology,”  Nov.  1992,  op.  cit. 

48  5  U.S.C.  552. 
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The  CSA,49  the  report  accompanying  it,50  and  NIST  guidance51  included  explicit 
instructions  that  categorizing  information  as  “sensitive”  did  not  confer  authority  to 
withhold  information  sought  pursuant  to  Section  552  of  Title  5,  United  States  Code 
[the  Freedom  of  Information  Act].  Nevertheless,  as  will  be  discussed  below,  some 
federal  agencies  say  that  all  information  categorized  as  For  Official  Use  Only 
(FOUO)  or  in  related  categories  is  SBU,  or  that  all  SBU  information  may  be  withheld 
under  FOIA. 

Department  of  Justice  Broadens  Interpretation  of  Exemptions  From 
FOIA  in  2003  and  2004.52  After  the  terrorist  attacks  of  September  2001,  the  White 
House  and  the  Department  of  Justice,  in  a  series  of  administrative  actions,  expanded 
agencies’  ability  to  withhold  SBU  information.  To  prevent  potential  use  of  sensitive 
information  by  terrorists,  in  March  2002,  the  White  House  issued  the  so-called  “Card 
memo,”  which  required  agencies  to  examine  their  information  holdings  and  policies; 
withhold  information,  including  “sensitive  but  unclassified”  information;  and  use 
FOIA  exemptions  if  there  was  a  sound  legal  basis  to  do  so.  Attorney  General  John 
Ashcroft’s  prior  memorandum  of  October  2001  on  this  issue  was  referenced.  These 
statements  modified  the  previous  Administration’s  policy,  which  urged  agencies  to 
release  information  if  there  was  no  “foreseeable  harm”  in  doing  so.53 


49  According  to  P.L.  100-235,  “Sec.  8. ...  Nothing  in  this  Act,  or  in  any  amendment  made  by 
this  Act,  shall  be  construed  (1)  to  constitute  authority  to  withhold  information  sought 
pursuant  to  Section  552  of  title  5,  United  States  Code;  or  (2)  to  authorize  any  Federal  agency 
to  limit,  restrict,  regulate,  or  control  the  collection,  maintenance,  disclosure,  use,  transfer, 
or  sale  of  any  information  (regardless  of  the  medium  in  which  the  information  may  be 
maintained)  that  is  (A)  privately-owned  information;  (B)  disclosable  under  section  552  of 
title  5,  United  States  Code,  or  other  law  requiring  or  authorizing  the  public  disclosure  of 
information;  or  (C)  public  domain  information.” 

50  The  report  accompanying  the  legislation  said  specifically,  “The  designation  of  information 
as  sensitive  [or  as  subject  to  protection]  under  the  Computer  Security  Act  is  not  a 
determination  that  the  information  is  not  subject  to  public  disclosure”  (H.Rept.  100-153, 
Parti,  June  11,  1987). 

51  The  guidance  said,  “The  Computer  Security  Act  did  not  alter  the  Freedom  of  Information 
Act  (FOIA);  therefore,  an  agency’s  determination  of  sensitivity  under  this  definition  does 
not  change  the  status  of  releaseability  under  the  FOIA”  (“Advising  Users  on  Computer 
System  Technology,”  op.  cit.) 

52  For  detailed  information,  see  CRS  Report  RL31845,  op.  cit. 

53  The  White  House  memo,  signed  by  Chief  of  Staff  Andrew  Card,  entitled  “Action  to 
Safeguard  Information  Regarding  Weapons  of  Mass  Destruction  and  other  Sensitive 
Documents  Related  to  Homeland  Security,”  Mar.  19,  2002,  required  agencies  to  examine 
their  policies  and  holdings  in  accord  with  accompanying  memos  issued  by  the  National 
Archives  and  Records  Administration’s  (NARA)  Information  Security  Oversight  Office 
(ISOO)  and  the  Department  of  Justice’s  Office  of  Information  and  Privacy  (OIP).  The 
purpose  was  to  determine  if  information  should  be  classified  or  handled  as  sensitive  but 
unclassified  information  that  could  be  “misused  to  harm  the  security  of  our  Nation  and  the 
safety  of  our  people”  and  report  their  review  to  the  White  House.  The  accompanying  memo 
included  a  section  titled  “sensitive  but  unclassified  information, ’’which  instructed  agencies 
to  consider  all  applicable  FOIA  exemptions  before  releasing  “sensitive  information  related 
to  America’s  homeland  security”(SHSI)  (“Safeguarding  Information  Regarding  Weapons 

(continued...) 
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Subsequently  in  2003,  the  Department  of  Justice  (DOJ)  issued  guidance  based 
on  court  decisions  that  broadened  interpretation  of  exemptions  from  disclosure  under 
FOIA.54  It  also  discussed  the  new  exemption  three  provision  of  P.L.  107-296,  the 
Homeland  Security  Act  of  2002,  which  protects  voluntarily  submitted  critical 
infrastructure  information.  The  Freedom  of  Information  Act  Guide ,  2004,  explained 
how  an  agency’s  ability  to  restrict  the  release  of  “sensitive”  information  via  FOIA 


53  (...continued) 

of  Mass  Destruction  and  Other  Sensitive  Records  Related  to  Homeland  Security,” 
Memorandum  for  Departments  and  Agencies,  from  Laura  L.S .  Kimberly,  ISOO,  NARA,  and 
Richard  L.  Huff,  and  Daniel  J.  Metcalfe,  OIP,  Dept,  of  Justice,  “Safeguarding  Information 
Regarding  Weapons  of  Mass  Destruction  and  Other  Sensitive  Records  Related  to  Homeland 
Security,”  Mar.  19,  2002).  Agencies  were  referred  to  guidance  that  had  been  issued  by 
Attorney  General  Ashcroft  in  Oct.  2001  that  instructed  agencies,  when  undertaking 
discretionary  disclosure  determinations  under  FOIA  (agencies  can  make  their  own 
discretionary  decisions  about  whether  to  disclose  information  even  if  it  falls  within  one  of 
the  nine  FOIA  exemption  categories)  to  consider  using  broad  interpretations  of  the  FOIA 
exemptions  because  of  the  need  for  heightened  security  in  the  wake  of  the  9/1 1  attacks 
(“New  Attorney  General  FOIA  Memorandum  Issued,”  FOIA  Post,  Oct.  15, 2001,  including 
“Memorandum  for  Heads  of  all  Federal  Departments  and  Agencies,  From:  John  Ashcroft, 
Attorney  General,  Subject:  The  Freedom  of  Information  Act,  Oct.  15,  2001”).  The  memo 
instructed  agencies  to  interpret  FOIA  exemption  two  broadly  to  permit  withholding  of  a 
document  that  if  released  would  allow  circumvention  of  an  agency  rule,  policy  or  statute, 
thereby  impeding  the  agency  in  the  conduct  of  its  mission.  (See  U.S.  Department  of  Justice, 
Freedom  of  Information  Act  Guide  and  Privacy  Act  Overview,  May  2002,  ed.,  pp.  16-17, 
124-127  and  CRS  Report  RL31547,  Critical  Infrastructure  Information  Disclosure  and 
Homeland  Security,  by  John  D.  Moteff  and  Gina  Marie  Stevens.)  In  the  predecessor 
memorandum  issued  by  Attorney  General  Janet  Reno  in  1993,  agencies  were  encouraged 
to  release  documents,  even  if  the  law  provided  a  way  to  withhold  information,  if  there  was 
no  “foreseeable  harm”  from  doing  do. 

In  2002  and  2003,  the  House  oversight  committee  on  FOIA,  the  Committee  on 
Government  Reform,  called  the  Attorney  General’s  October  2001  memorandum  into 
question  and  specifically  rejected  its  standard  to  allow  the  withholding  of  information 
sought  under  FOIA  whenever  there  is  merely  a  “sound  legal  basis”  for  doing  so.  The 
committee  directed  agencies  to  withhold  documents  only  in  those  cases  when  the  agency 
reasonably  foresees  that  disclosure  would  be  harmful  to  an  interest  protected  by  an 
exemption  (A  Citizen’s  Guide  on  Using  the  Freedom  of  Information  Act  and  the  Privacy  Act 
of  1974  to  Request  Government  Records,  107th  Cong.,  2nd  sess.  H.Rept.  107-371,  2002,  p. 
3;  and  in  a  report  with  the  same  title,  108th  Congress,  1st  sess.,  2003,  H.Rept.  108-172). 

54  On  June  25,  2003  officials  from  the  DOJ’s  Office  of  Information  and  Privacy  and  from 

the  National  Security  Council  held  a  closed  conference  that  was  summarized  on  the  DOJ 
website.  (U.S.  Department  of  Justice, ’’FOIA  Officers  Conference  Held  on  Homeland 
Security,”  FOIA  Post,  July  3,  2003  [http://www.usdoj.gov/oip/foiapost/ 

2003foiapost25.htm]).  Among  other  things,  it  reviewed  several  court  cases  in  2003  that 
allowed  agencies  to  use  national  security  considerations,  other  than  those  defined  in  FOIA 
exemption  1,  to  withhold  information  of  possible  use  to  terrorists.  These  included  one  that 
allowed  the  U.S.  Customs  Service  to  use  exemption  2  to  deny  information  on  inspections 
of  seaport  operations  {Coastal  Delivery  Corp.  v.  U.S.  Customs  Service,  decided  Mar.  17, 
2003,  by  the  U.S.  District  Court  in  Los  Angeles),  and  another  to  allow  withholding  under 
exemption  7  (e)  of  “inundation  maps”that  had  been  compiled  as  law  enforcement  records 
and  showed  flood  area  below  Hoover  and  Glen  Canyon  dams  ( Living  Rivers,  Inc.,  v.  the  U.  S. 
Bureau  of  Reclamation,  Mar.  25,  2003.  by  the  U.S.  District  Court  in  Salt  Lake  City). 
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would  be  broadened;  and,  citing  the  September  11, 2001,  attacks,  the  passage  of  P.L. 
107-296,  and  the  creation  of  the  Department  of  Homeland  Security  (DHS),  cautioned 
vigilance  on  releasing  “sensitive”  information: 

These  changes  have  greatly  impacted  many  aspects  of  the  operation  of  the 
federal  government,  including  the  administration  of  the  FOIA.  Much  greater 
emphasis  is  now  placed  on  the  protection  of  information  that  could  expose  the 
nation’s  critical  infrastructure,  military,  government,  and  citizenry  to  an 
increased  risk  of  attack.  As  a  result  of  these  changes,  federal  departments  and 
agencies  should  carefully  consider  the  sensitivity  of  any  information  the 
disclosure  of  which  could  reasonably  be  expected  to  cause  national  security 
harm.55 

The  Guide  reiterated,  however,  that  use  of  labels  such  as  SBU,  SHSI,  and  so 
forth  does  not  “provide  for  any  protection  from  disclosure  under  any  [FOIA] 
exemption ...”  [except  for  critical  infrastructure  information  (CII),  which  is  protected 
by  statute] .  Nevertheless,  the  Guide  encouraged  agencies  to  exempt  from  disclosure 
information  labeled  “SHSI”  or  other  nonclassified  information  that  is  highly 
sensitive,  as  referenced  in  the  aforementioned  court  decisions  and  in  Homeland 
Security  Presidential  Directive  HSPD-7,  issued  on  December  22,  2003: 

[W]hatever  the  safeguarding  label  that  an  agency  might  (or  might  not  )  use  for  the 
information  maintained  by  it  that  has  special  sensitivity  —  e.g.,  “for  official  use 
only”  (FOUO),  “restricted  data”  (a  Department  of  Energy  designation),  or 
“sensitive  homeland  security  information”  (SHSI)  —  whenever  predominantly 
internal  agency  records  may  reveal  information  the  disclosure  of  which  could 
reasonably  be  expected  to  cause  any  of  the  harms  described  above  [to  critical 
systems,  facilities,  stockpiles,  and  other  assets],  responsible  federal  officials 
should  carefully  consider  the  propriety  of  protecting  such  information  under 
Exemption  2. 56 

SBU  Information  Policies  in  the  Homeland  Security  Act,  P.L. 
107-296,  and  Subsequent  Presidential  Action 

The  Homeland  Security  Act,  P.L.  107-296,  signed  on  November  25,  2002, 
defined  homeland  security  information  as  “any  information  possessed  by  a  Federal, 
State  or  local  agency  that  (A)  relates  to  the  threat  of  terrorist  activity;  (B)  relates  to 
the  ability  to  prevent,  interdict,  or  disrupt  terrorist  activity;  (C)  would  improve  the 
identification  or  investigation  of  a  suspected  terrorist  or  terrorist  organization;  or  (D) 
would  improve  the  response  to  a  terrorist  act.”57  The  law,  among  other  things, 
required  agencies  to  develop  information- sharing  systems  to  transmit  classified  or 
unclassified  information  and  to  share  it  with  appropriate  recipients,  including  those 
at  the  state  and  local  levels.  It  also  recognized  the  use  of  nondisclosure  agreements 
for  sharing  sensitive  but  unclassified  information  with  state  and  local  personnel. 


55  FOIA  Guide ,  2004  Edition,  Exemption  one,  [http://www.usdoj.gov/oip/foi-act.htm], 

56  FOIA  Guide,  2004  Edition,  Exemption  Two. 

57  6  U.S.C.  482  (f). 
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Section  892,  as  amended,58  required  the  President  to  “prescribe  and  implement 
procedures”  for  federal  agencies  to  “identify  and  safeguard  sensitive  homeland 
security  information  that  is  sensitive  but  unclassified,”  [now  abbreviated  SHSI]  and 
to  prescribe  procedures  to  share  this  information  with  other  federal  agencies  and 
appropriate  state  and  local  personnel  (required  by  section  892  (a)  (1)  (A)(B)  of  P.L. 
107-296).  In  Executive  Order  13311,  July  29,  2003,  the  President  transferred  some 
of  these  functions  to  the  Department  of  Homeland  Security  Secretary,  to  be  carried 
out  in  consultation  with  other  governmental  officials.59  The  President  is  still 
mandated  to  prescribe  procedures  for  federal  agencies.  Section  893  of  the  law  had 
required  the  President  to  report  to  specified  congressional  committees  about 
implementation  of  section  892  and  any  recommendations  for  additional  measures  to 
“increase  the  effectiveness  of  sharing  of  information  between  and  among  Federal, 
State,  and  local  entities.”  According  to  that  report60  and  other  documents,61  in  2004, 
DHS  was  preparing  the  guidance  to  identify  and  protect  sensitive  but  unclassified 
SHSI.  In  its  report  to  Congress,  DHS  wrote  that  the  procedures  it  was  developing 

will  provide  guidance  on  identifying  SHSI  by  defining  SHSI,  establishing 
uniform  procedures  for  identifying  and  marking  SHSI,  and  delineating  entities 
with  which  it  may  be  properly  shared.  The  procedures  will  aid  in  safeguarding 
SHSI  by  establishing  uniform  minimum  standards  for  the  secure  handling  of 
sensitive  information  designated  as  SHSI,  in  a  manner  consistent  with  existing 
law.  Lastly,  the  procedures  will  help  to  facilitate  the  sharing  of  SHSI  with 
appropriate  Federal,  state  and  local  users,  while  also  protecting  it  from 
unwarranted  public  disclosure  that  could  result  in  reduction  of  the  ability  of 
Federal,  State,  and  local  authorities  to  protect  against  threats  to  our  homeland 
security.62 

The  referenced  guidance  had  not  been  issued  as  of  November  14,  2006,  and, 
before  being  made  final,  was  to  have  been  sent  to  the  Office  of  Management  and 
Budget  for  release  and  a  period  of  public  comment.63  In  a  related  development,  on 
December  16,  2005,  the  President  issued  a  memorandum  to  federal  agencies, 
“Guidelines  and  Requirements  in  Support  of  the  Information  Sharing  Environment,” 
that  included  requiring  agencies  to  standardize  procedures  “for  designating,  marking, 
and  handling  SBU  information  ...  across  the  Federal  Government”  in  order  to 


58  Amended  by  Section  3 16  of  the  Intelligence  Authorization  Act  for  Fiscal  Year  2004,  P.L. 
108-177,  Section  316,  117  Stat.  2599,  2610-11  (2003).  This  section  mandates  that  DHS 
develop  a  training  program  for  state  and  local  officials  to,  among  other  things,  improve  their 
ability  to  identify  and  report  threat  information. 

59  Executive  Order  13311,  Federal  Register,  July  29, 2003,  pp.  45149-45150.  The  President 
retained  responsibility  to  “ensure  that  such  procedures  apply  to  all  agencies  of  the  Federal 
Government....” 

60  Report  Pursuant  to  Section  893,  not  dated  but  reportedly  sent  to  the  committee  chairmen 
in  February  2004,  op.  cit. 

61  U.S.  Department  of  Justice,”  FOIA  Officers  Conference  Held  on  Homeland  Security,” 
FOIA  Post,  July  3,  2003,  [http://www.usdoj.gov/oip/foiapost/2003foiapost25.htm], 

62  Report  Pursuant  to  Section  893,  2004,  op.  cit.,  p.  5. 

63  Interview  with  OMB  officials,  Nov.  10,  2004. 
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promote  both  appropriate,  consistent  safeguarding  and  sharing  of  information.64 
Within  90  days  agencies  were  to  inventory  specific  SBU  information  procedures, 
determine  the  authority  for  each  entry,  assess  the  effectiveness  of  procedures,  and 
report  to  the  Director  of  National  Intelligence  (DNI),  who  is  to  provide  the  results  to 
the  Secretary  of  Homeland  Security  and  the  Attorney  General.  Within  a  year,  the 
DNI  in  coordination  with  specific  department  and  agency  heads  is  to  submit 
recommendations  to  the  President  through  the  DNI  for  government- wide  standards 
for  all  SBU  information.  The  Program  Manager  for  the  Information  Sharing 
Environment  is  to  support  executive  departments  and  agencies  implementation,  as 
well  as  in  the  development  of  relevant  guidance  and  training  programs  for  the 
standardized  SBU  procedures. 

According  to  a  news  report,  an  interagency  group  has  been  working  on  this 
issue.  But  federal  agencies  have  not  yet  agreed  upon  which  SBU-related  labels  to  use 
and  which  to  give  up.  Furthermore  state  and  local  officials  apparently  have  disagreed 
about  which  labels  should  be  retained.  Reportedly,  in  June  2006,  the  Department  of 
Justice  and  the  Department  of  Homeland  Security 

...  delivered  a  36-page  report  recommending  that  the  group  continue  its  efforts 
to  settle  on  a  new  system.  (In  a  small  sign  of  progress,  they  also  urged  agencies 
to  stop  creating  new  labels,  according  to  one  intelligence  official.)  The  White 
House  concluded  that  the  proposal  lacked  substance  and  told  the  two  agencies 
to  try  again,  the  official  said.65 

Similarly, 

According  to  Aftergood,  the  report  [which  was  then  pending]  “...  set  forth 
principles  upon  which  SBU  policy  should  be  based,  but  stops  short  of  the  crucial 
task  of  defining  exactly  how  those  principles  ought  to  be  implemented, 
government  officials  said.  One  of  those  principles  is  that  each  type  of  control  on 
unclassified  information  should  have  a  uniform,  public  and  government-wide 
definition  so  that  it  is  employed  the  same  way  by  all  agencies.”66 

Testimony  on  this  issue  was  heard  at  a  hearing  held  on  May  10,  2006.  (See 
below  in  the  section  labeled  “Studies  and  Hearings  on  SBU  During  2006.”) 

In  November  2006,  the  Program  Manager  for  the  Information  Sharing 
Environment  issued  a  report  entitled,  Information  Sharing  Environment 
Implementation  Plan.  Chapter  10  described  creation  of  an  interagency  coordinating 
committee  which  plans  to  issue  guidelines  and  recommendations  for  SBU 
standardization  during  the  1st  quarter  of  CY2007. 


64  Information  Sharing  Guideline  3  [http://www.fas.org/sgp/news/2005/12/whl21605- 
memo.html], 

65  Siobhan  Goirman,  “Turf  War  Hampers  War  on  Terror:  Justice,  Homeland  Security’s 
Failure  to  Agree  on  semantics  Hinders  Information  Sharing,”  Baltimore  Sun,  July  13, 2006. 

66  “Agencies  Pursue  Standardized  Policy  for  ‘Sensitive’  Info,”  Secrecy  News,  July  12, 2006. 


CRS-17 


Requirements  to  Use  Mandatory  Minimum  NIST- 
Generated  Risk  Standards  To  Protect  All 

Information 

As  noted  above,  the  Computer  Security  Act  of  1987  (CSA)  authorized  the 
Department  of  Commerce’ s  NBS  (and  then  its  successor,  NIST)  to  develop  standards 
and  guidelines  for  federal  agencies  to  protect  sensitive  information  on  federal 
computer  information  systems.  The  act  defined  sensitive  information  that  was  not 
classified.  (For  a  definition,  see  the  section  above  entitled  “Computer  Security  Act 
Definition  of  Sensitive.”)  Under  the  CSA,  agencies  could  obtain  a  waiver  not  to  use 
the  standards. 

The  CSA  provisions  were  modified  with  passage  of  the  Federal  Information 
Security  Act  of  2002,  (FISMA),  P.L.  107-347,  December  2002.67  While  CSA 
required  the  development  of  standards  to  protect  sensitive  information,  FISMA 
required  the  development  of  standards  to  protect  all  information,  and  did  not  refer  to 
sensitive  information  when  mandating  development  of  standards.  It  rewrote  the 
section  of  the  NIST  act  that  required  development  of  standards  for  sensitive 
information,  and  had  used  the  CSA  definition  of  “sensitive”  information  (15  U.S.C. 
278g-3).  The  law  replaced  aspects  of  the  CSA,  including  the  definition  of  “sensitive” 
information  because  the  definition  was  considered  static  and  unresponsive  to 
changing  information  systems  environments.68  FISMA  also  deleted  specific 
requirements  to  inventory  information  systems  that  contained  sensitive  information.69 


67  FISMA  clarified  and  changed  some  provisions  of  the  Government  Information  Security 
Reform  Act  (GISRA),  which  was  part  of  the  Floyd  D.  Spence  National  Defense 
Authorization  Act  of  FY2001  (Div.  A,  Title  X,  Subtitle  G,  sec.  1061-1065,  P.L.  106-398, 
Oct.  30,  2000).  While  GISRA  expanded  NIST’s  functions  regarding  developing  risk-based 
standards,  it  would  have  sunseted  in  2002  and  did  not,  like  FISMA,  render  moot  the 
definition  of  sensitive  as  used  in  CSA.  See  U.S.  Congress,  House,  Committee  on 
Government  Reform,  E-Government  Act  of 2002.  H.Rept.  107-787,  Part  1,  107th  Congress, 
2nd  sess.,  Nov.  14,  2002,  pp.  54-61.  Specifically,  according  to  the  report,  “the  purpose  of 
FISMA  is  to  permanently  authorize  a  government-wide  risk-based  approach  to  information 
security  by  eliminating  GISRA’ s  two-year  sunset,  and  to  further  strengthen  Federal 
information  security  by  requiring  compliance  with  minimum  mandatory  management 
controls  for  securing  information  and  information  systems,  clarifying  and  strengthening 
current  management  and  reporting  requirements,  and  strengthening  the  role  of  National 
Institute  of  Standards  and  Technology  (NIST)”  (p.  54). 

68  This  was  described  in  the  House  Committee  on  Government  Reform  report  on  the 
amended  version  of  the  bill  that  was  enacted,  H.Rept.  107-787,  part  I,  op.  cit.,  describing 
section  303  of  what  eventually  became  P.L.  107-347. 

69  Section  305  of  P.L.  107-347  repealed  section  6  of  the  CSA,  which  required  the 
identification  of  systems  containing  sensitive  information  and  the  development  of  systems 
security  plans,  which,  according  to  the  legislative  report  accompanying  the  bill  that  was 
enacted,  “is  unnecessary  given  the  overall  scheme  and  specific  requirements  for  agency  risk- 
based  management  of  information  and  information  systems  supporting  agency  operations 
and  assets”  (H.Rept.  107-787,  pt.  1.  p.  87.  See  also  CRS  Report  RL31057,  A  Primer  on  E- 
Government;  Sectors,  Stages,  Opportunities,  and  Challenges  of  Online  Governance,  Jeffrey 

(continued...) 
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These  actions,  in  essence,  rendered  the  definition  moot.  Also,  under  FISMA, 
agencies  may  no  longer  obtain  a  waiver  to  not  use  the  standards  developed  by  NIST. 

Specifically,  section  303  of  P.L.  107-347  updated  NIST’s  mission  in  light  of 
new  understandings  relating  to  information  security  and  required  NIST,  in 
consultation  with  other  agencies,  including  OMB,  the  National  Security  Agency,  the 
Government  Accountability  Office  (GAO),  and  the  DHS,  to  develop  risk-based 
standards  to  categorize  “the  criticality  and  sensitivity  of  agency  information 
according  to  information  security  control  objectives  and  across  a  range  of  risk  levels” 
and  to  develop  minimum  information  security  requirements  for  each  information 
category.  Under  FISMA,  the  standards  NIST  was  directed  to  develop  and  the 
Secretary  of  Commerce  to  promulgate,  are  to  be  issued  by  the  Director  of  OMB  in 
consultation  with  the  Secretary  of  Homeland  Security70  as  mandatory  minimum 
federal  information  processing  standards  (FIPS)  that  agencies  and  their  contractors 
must  use  to  protect  all  nonclassified  information  and  information  systems  based  on 
a  range  of  risk  levels.71  FISMA  is  silent  on  defining  “sensitive”  or  the  relationship 
between  the  act  and  SBU  or  the  sensitive  homeland  security  information  referred  to 
in  section  892  of  the  Homeland  Security  Act  of  2002,  P.L.  107-296. 

FISMA  also  clarified  management  and  reporting,  strengthened  NIST’s  role  and 
responsibilities,  and  consolidated  statutory  information  security  requirements.  The 
OMB  is  required  by  FISMA  to  authorize  formally  and  accredit  each  agency’s 
nonsecurity  information  system  as  established  by  the  information  security  plan. 
(Responsibility  for  certification  of  national  security  information  systems  is  shared 
between  DOD  and  the  Central  Intelligence  Agency.)  The  three  security  objectives 
—  confidentiality,  integrity,  and  availability  —  that  NIST  has  used  in  previous 
guidance  are  to  continue  to  guide  NIST  in  its  development  of  standards  (116  STAT. 


69  (...continued) 

W.  Seifert). 

70  OMB,  in  consultation  with  the  Secretary  of  Homeland  Security,  has  responsibility  under 
FISMA  to  issue  the  standards  and  guidelines  developed  by  NIST  (40  U.S.C.  1 1331  (b)  (1) 
(A))  and  promulgated  by  the  Secretary  of  Commerce.  In  addition,  OMB  manages  the 
federal  acquisition  regulation  (FAR).  It  is  to  be  updated  to  include  the  information  security 
requirements  of  FISMA,  so  that  new  agency  contracts  for  information  systems  would  reflect 
them.  (U.S.  GAO,  Information  Security:  Improving  Oversight  of  Access  to  Federal  Systems 
and  Data  by  Contractors  Can  Reduce  Risk,  April  2005,  GAO-05-362.p.  3.)  See  also,  U.S. 
GAO,  Information  Security:  Weaknesses  Persist  at  Federal  Agencies  Despite  Progress 
Made  in  Implementing  Related  Statutory  Requirements,  July  2005,  GAO-05-552. 

71  Specifically,  Title  III  of  FISMA  requires,  “(b)  Minimum  requirements  for  standards  and 
guidelines.  The  standards  and  guidelines  required  by  subsection  (a)  of  this  section  shall 
include,  at  a  minimum  —  (1)  (A)  standards  to  be  used  by  all  agencies  to  categorize  all 
information  and  information  systems  collected  or  maintained  by  or  on  behalf  of  each  agency 
based  on  the  objectives  of  providing  appropriate  levels  of  information  security  according 
to  a  range  of  risk  levels;  (B)  guidelines  recommending  the  types  of  information  and 
information  systems  to  be  included  in  each  such  category;  and  (C)  minimum  information 
security  requirements  for  information  and  information  systems  in  each  such  category 
(U.S.  Code,  Title  15,  Chapter  7,  Section  278g-3.  Computer  standards  program,  i.e.,  15 
U.S.C.  278g-3). 
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2947,  P.L.  107-347,  title  IE,  paragraph  301),  although  these  concepts  were  broadened 
from  the  way  NIST  originally  used  them  in  1992  to  read: 

The  term  “information  security”  means  protecting  information  and  information 
systems  from  unauthorized  access,  use,  disclosure,  disruption,  modification,  or 
destruction  in  order  to  provide  —  (A)  integrity,  which  means  guarding  against 
improper  information  modification  or  destruction  and  includes  ensuring 
information  nonrepudiation  and  authenticity;  (B)  confidentiality,  which  means 
preserving  authorized  restrictions  on  access  and  disclosure,  including  means  for 
protecting  personal  privacy  and  proprietary  information;  and  (C)  availability, 
which  means  ensuring  timely  and  reliable  access  to  and  use  of  information  (Sec. 

301  of  P.L.  107-347). 

The  law  also  allows  agencies  to  develop  more  stringent  standards  than  those 
generated  by  NIST,  since  it  — 

preserves  the  provision  in  current  law  (at  40  U.S.C  1 133 1(c)  permitting  agencies 
to  use  more  stringent  standards  than  provided  by  NIST-developed  standards,  but 
only  if  those  more  stringent  standards  incorporate  applicable  mandatory  NIST 
requirements  and  are  otherwise  consistent  with  the  risk  management  policies  and 
guidelines  issued  by  OMB  under  44  U.S.C.  3533. 72 

NIST’s  Policies,  Standards,  and  Documents 

The  risk  analysis  procedures  and  information  systems  controls  specified  by 
NIST  have  been  developed  iteratively,  incorporating  public  comments  since  the  end 
of  2002.  Several  reports  constitute  the  NIST  documentation  standards  and  two  are 
core,  that  is  FIPS  Publication  199  and  FIPS  Publication  200.  NIST  had  anticipated 
publishing  all  documentation  by  the  statutory  deadline  of  December  2005  when 
implementation  was  to  become  mandatory, 73  but  the  final  document  in  the  series, 
dubbed  FIPS  Publication  200,  was  delayed  a  few  months  until  March  2006. 74 
Agencies  are  to  use  NIST’s  guidance  documents  and  risk  management  procedures 
to  categorize  federal  information  and  information  systems  and  to  determine  security 
protection  levels  for  them  based  on  level  of  risk.75 

The  first  core  document,  Federal  Information  Processing  Standards  ( FIPS )  199, 
Standards  for  Security  Categorization  of  Federcd  information  and  Information 
Systems,  commonly  called  FIPS  199,  issued  in  final  form  in  February  2004,  provides 
a  common  framework,  method,  and  mandatory  standards  for  agencies  to  use  to 
identify  information  to  protect  (that  is  not  governed  by  national  security  controls) 


72  Paragraph  (a)  (3)  of  section  302,  according  to  H.Rept.  107-787,  pt.  1,  p.  84. 

73  William  Jackson,  “FISMA  Guidance  Nearly  Complete,”  Government  Computer  News, 
Oct.  26,  2005. 

74  National  Institute  of  Standards  and  Technology,  Minimum  Security  Requirements  for 
Federal  Information  and  Information  Systems,  Federal  Information  Processing  Standards 
Publication,  FIPS  Pub  200,  March  2006. 

75  Based  in  part  on  Ron  Ross,  “FISMA  Implementation  Project;  Protecting  the  Nation’s 
Critical  Information  Infrastructure;  An  Overview,”  Slide  Show,  Version  1.4. 
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according  to  the  potential  impact  of  loss.  FIPS  199  enables  agencies  to  identify 
and  prioritize  their  most  important  information  and  information  systems  by  defining 
the  maximum  impact  a  break  in  confidentiality,  integrity,  or  availability  would  have 
on  the  agency’s  operation,  assets,  and/or  individuals.”76  It  establishes  a  continuum 
of  “criticality  and  sensitivity”  for  information  dependent  upon  agency  requirements 
and  priorities.  The  potential  minimum  impact  value  (low,  moderate,  or  high77)  on  the 
compromise  of  a  security  objective  is  the  highest  value  (i.e.,  high-water  mark)  for 
security  categories  for  each  type  of  information  on  the  system.78 

FIPS  Publication  200,  Minimum  Security  Requirements  for  Federal  Information  and 
Information  Systems,  the  second  of  the  mandatory  security  standards  documents, 
specifies  minimum  security  requirements  for  information  and  information  systems 
supporting  the  federal  agencies  and  a  risk-based  process  for  selecting  the  security 
controls  necessary  to  satisfy  the  minimum  security  requirements.  This  standard  is 
intended  to  establish  minimum  levels  of  due  diligence  for  information  security  and 
to  facilitate  a  more  consistent,  comparable,  and  repeatable  approach  for  selecting  and 
specifying  security  controls  for  information  systems  that  meet  minimum  security 
requirements. 


76  Shirley  Radack,  ITL  Bulletin,  Mar.  2004,  p.  1 . 

77  “...  [L]ow  [or  limited],  moderate  [having  a  serious  adverse  effect],  or  high  [severe  or 
catastrophic  adverse]  impact  for  the  three  security  objectives  of  confidentiality,  integrity 
(including  authenticity  and  non-repudiation),  and  availability”(Ron  S.  Ross,  Computer 
Security  Division,  NIST,  “The  New  FISMA  Standards  and  Guidelines.  Changing  the 
Dynamic  of  Information  Security  for  the  Federal  Government,”  [2003],  p.  2.  For  additional 
details,  see  NIST,  Standards  for  Security  Categorization  of  Federal  Information  and 
Information  Systems,  FIPS  Publication  199,  Dec.  2003,  pp.  1-3). 

78  As  an  example  “...  A  power  plant  contains  a  SCADA  (supervisory  control  and  data 
acquisition)  system  controlling  the  distribution  of  electric  power  for  a  large  military 
installation.  The  SCADA  system  contains  both  real-time  sensor  data  and  routine 
administrative  information.  The  management  at  the  power  plant  determines  that  (I)  for  the 
sensor  data  being  acquired  by  the  SCADA  system,  there  is  no  potential  impact  from  a  loss 
of  confidentiality,  a  high  potential  impact  from  a  loss  of  integrity,  and  a  high  potential 
impact  from  a  loss  of  availability;  and  (ii)  for  the  administrative  information  being  processed 
by  the  system,  there  is  a  low  potential  impact  from  a  loss  of  confidentiality,  a  low  potential 
impact  from  a  loss  of  integrity,  and  a  low  potential  impact  from  a  loss  of  availability.  The 
resulting  security  categories,  SC,  of  these  information  types  are  expressed  as:  SC  sensor  data 
=  {(confidentiality,  NA), (integrity,  HIGH),  (availability,  HIGH)},  and  SC  administrative 
information  =  {(confidentiality,  LOW),  (integrity,  LOW),  (availability,  LOW)}.  The 
resulting  security  category  of  the  information  system  is  initially  expressed  as:  SC  SCADA 
system  =  {(confidentiality,  LOW),  (integrity,  HIGH),  (availability,  HIGH)},  representing 
the  high  water  mark  or  maximum  potential  impact  values  for  each  security  objective  from 
the  information  types  resident  on  the  SCADA  system.  The  management  at  the  power  plant 
chooses  to  increase  the  potential  impact  from  a  loss  of  confidentiality  from  low  to  moderate 
reflecting  a  more  realistic  view  of  the  potential  impact  on  the  information  system  should 
there  be  a  security  breach  due  to  the  unauthorized  disclosure  of  system-level  information  or 
processing  functions.  The  final  security  category  of  the  information  system  is  expressed  as: 
SC  SCADA  system  =  {(confidentiality,  MODERATE),  (integrity,  HIGH),  (availability, 
HIGH)}.”  (FIPS  199.) 
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NIST  Special  Publication  800-60,  Guide  for  Mapping  Types  of  Information  and 
Information  Systems,  issued  in  final  version  in  June  2004, 79  is  intended  to  help 
agencies  identify  their  information  types  and  systems  and  to  assign  impact  levels  for 
confidentiality,  integrity,  and  availability  for  them  for  a  range  of  risk  levels.  The 
impact  levels  are  based  on  the  security  categorization  guidelines  in  FIPS  Publication 
199. 80  Special  Publication  800-60  gives  agencies  explicit  guidance  on  developing 
impact  standards  for  each  of  the  three  risk  categories  for  all  types  of  information  and 
information  systems  handled  by  federal  agencies  (based  on  OMB ’s  Federal 
Enterprise  Architecture  Program  Management  Office’s  publication,  The  Business 
Reference  Model  Version  2.0).  Agencies  are  given  guidance  to  determine  impact 
levels  for  information  in  fields  such  as  public  health,  environmental  management, 
energy,  and  general  sciences  and  innovation,  including  research  and  development. 
Thus  the  high-water  mark,  or  highest  value  category  for  security  impact  (and  thus 
minimum  security  categorization)  for  both  “Scientific  and  Technical  Research  and 
Innovation  Information”  and  for  “Research  and  Development  Information,”  is 
moderate.81  Examples  of  minimum  security  categories  for  some  other  types  of 
information  are  environmental  remediation  information,  moderate;82  pollution 
prevention  and  control,  low;83  and  health  care  services,  high.84  Each  explanation 
describes  circumstances,  including  homeland  security  and  national  security-related 
implications,  that  agencies  could  identify  to  raise  the  threshold  level  of  security 
controls  for  each  type  of  information. 

When  agencies  need  to  evaluate  the  levels  of  protection  for  information,  they 
are  to  undertake  a  risk  assessment  using  threat  and  vulnerability  analysis  that 
incorporates  local  conditions  and  then  adjust  their  security  controls  using  NIST 
publication  SP  800-30. 85  An  agency  is  to  identify  the  minimum  information  security 
requirements  (i.e.,  management,  operational,  and  technical  controls)  for  information 
and  information  systems  in  each  such  category  as  identified  in  document  800-53,  that 
is  Recommended  Security  Controls  for  Federcd  Information  Systems,  February  2005 . 
NIST  identified  17  types  of  security  control  clusters  to  guide  selection  of  minimum 
security  controls  (i.e.,  safeguards  and  countermeasures)  to  protect  information  and 
information  systems  and  154  uniquely  identified  controls  (i.e.,  management, 
operational,  and  technical  security  controls)  for  information  and  information  systems 


79  William  C.  Barker,  Volume  1:  Guide  for  Mapping  Types  of  Information  and  Information 
Systems  to  Security  Categories,  NIST  Special  Publication  800-60,  Version  2.0,  June  2004, 
pp.  21-22.  William  C.  Barker  and  Annabelle  Lee,  NIST,  Information  Security,  Volume  II: 
Appendixes  to  Guide  for  Mapping  Types  of  information  and  Information  Systems  to  Security 
Categories,  June  2004,  295  pages. 

80  Barker,  Volume  1,  NIST  Special  Publication  800-60,  June  2004,  op.  cit.,  pp.  21-22. 

81  NIST  Special  Publication  800-60,  op.  cit.,  pp.  217-218. 

82  NIST  Special  Publication  800-60,  op.  cit.,  pp.  154-155. 

83  NIST  Special  Publication  800-60,  op.  cit.,  p.  120. 

84  NIST  Special  Publication  800-60,  op.  cit.,  p.  120. 

85  Risk  Management  Guide  for  Information  Technology  Systems,  Recommendations  of  the 
National  Institute  of  Standards  and  Technology,  by  Gary  Stoneburner,  Alice  Goguen,  and 
Alexis  Feringa,  NIST,  SP  800-30,  July  2002.  ’ 
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in  each  category.  These  include  access  control;  awareness  and  training;  audit  and 
accountability;  certification,  accreditation,  and  security  assessments;  configuration 
management;  contingency  planning;  identification  and  authentication;  incident 
response;  maintenance;  media  protection;  physical  and  environmental  protection; 
planning;  personnel  security;  risk  assessment;  systems  and  services  acquisition; 
system  and  communications  protection;  and  system  and  information  integrity.86 

A  Formal  Risk  Analysis  Process  Is  Not  Required.  OMB’s  apparent 
operative  guidance  for  information  security  protection,  Appendix  HI  of  OMB 
Circular  A- 130, 87  cautions  agencies  that  they  do  not  need  to  conduct  expensive, 
formal  risk  analyses  to  fulfill  these  requirements.  Specifically,  Appendix  El  to  OMB 
Circular  A- 130  says  that  OMB 

no  longer  requires  the  preparation  of  formal  risk  analyses.  In  the  past,  substantial 
resources  have  been  expended  doing  complex  analyses  of  specific  risks  to 
systems,  with  limited  tangible  benefit  in  terms  of  improved  security  for  the 
systems.  Rather  than  continue  to  try  to  precisely  measure  risk,  security  efforts 
are  better  served  by  generally  assessing  risks  and  taking  actions  to  manage  them. 
While  formal  risk  analyses  need  not  be  performed,  the  need  to  determine 
adequate  security  will  require  that  a  risk-based  approach  be  used.  This  risk 
assessment  approach  should  include  a  consideration  of  the  major  factors  in  risk 
management:  the  value  of  the  system  or  application,  threats,  vulnerabilities,  and 
the  effectiveness  of  current  or  proposed  safeguards.  Additional  guidance  on 
effective  risk  assessment  is  available  in  “An  Introduction  to  Computer  Security: 

The  NIST  Handbook”  (March  16,  1995).88 

While  NIST  recognizes  this  dictum,  it  seems  that  little  information  is  available  about 
how  agencies  make  decisions  to  categorize  information  in  response  to  NIST 
standards.89 

Nongovernmental  Experts’  Recommendations  to  Use  Risk 
Analysis  to  Identify  and  Control  Sensitive  Information 

Nongovernmental  experts  have  recommended  using  various  types  of  risk-based 
processes  to  identify,  categorize,  and  develop  controls  for  sensitive  information 
involving  science  and  technology,  and  other  kinds  of  information  control.90  For 


86  NIST,  Recommended  Security  Controls  for  Federal  Information  Systems,  Special 
Publication  800-53,  Appendix  D  and  Appendix  F. 

87  OMB  Circular  A- 130,  Appendix  III,  “Security  of  Federal  Automated  Information 
Resources,”  to  “OMB  Circular  A- 130,  Transmittal  Memorandum  #4,  Management  of 
Federal  Information  Resources  (11/28/2000),”  requires  agencies  and  their  contractors  to 
maintain  programs  that  provide  adequate  security  for  all  information  collected,  processed, 
transmitted,  stored,  or  disseminated  in  general  support  systems  and  major  applications” 
([http://www.whitehouse.gov/OMB/circulars/al30/al30appendix_iii.html]). 

88  Appendix  III,  to  OMB  Circular  A- 130,  1 1/28/2000,  op.cit. 

89  Interviews  with  officials  at  NIST  and  GAO. 

90  Horizontal  Integration:  Broader  Access  Models  for  Realizing  Information  Dominance  is 

(continued...) 
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instance,  the  use  of  risk  analysis  figured  prominently  at  the  November  21,  2005 
meeting  of  the  National  Science  Advisory  Board  for  Biosecurity  (NSABB)  in 
discussions  related  to  developing  criteria  for  a  code  of  conduct  for  researchers, 
identification  of  code  violations,  and  development  of  appropriate  consequences.  Risk 
analysis  has  also  figured  in  NSABB  discussions  about  developing  a  process  and  time 
schedule  to  vet  and  communicate  dual-use  research  while  it  is  being  conducted  and 
before  publication,  and  about  determining  the  consequences  of  public  release.91  (For 
more  information  about  NSABB,  see  in  the  section  below  entitled  “National  Science 
Advisory  Board  for  Biosecurity.”)  Others  have  also  proposed  using  risk-based 
models  to  handle  sensitive  scientific  and  technical  information.  These  are  discussed 
next. 


Jacques  S.  Gansler  and  William  Lucyshyn  proposed  that  criteria  be  developed, 
and  that  an  executive  order  be  issued,  that  identifies  “controlled  unclassified  security 
information  (CUSI),”  consisting  of  CII  and  SHSI,  whose  improper  release  by 
government  or  academic/scientific  institutions  “...could  egregiously  endanger  public 
safety.”92  The  objective  “...  for  both  government-funded  and  privately-funded 
research  is  to  create  a  culture  that  frowns  on  the  research,  experimentation,  and 
publication  of  CUSI,  much  like  the  culture  that  constrains  certain  experimental 
techniques,  such  as  stem-cell  research,  and  restrains  others,  such  as  human 
cloning.”93  A  risk-based  process  called  a  “‘Work-Factor’  for  Leveraging  Dangerous 
Information”  —  the  amount  of  resources  needed  to  use  the  information  for  harmful 
purposes  —  would  be  used  to  determine  risk  of  release: 


90  (...continued) 

a  report  prepared  by  the  Defense  Department  JASON  advisory  group  for  the  Under 
Secretary  for  Defense  Research  and  Engineering,  Horizontal  Integration:  Broader  Access 
Models  for  Realizing  Information  Dominance,  JASON  Program  Office,  MITRE,  JSR-04- 
132,  Dec.  2004,  p.  1.  The  report  focused  on  the  goal  of  enabling  “information  dominance 
[in]  warfare”  and  concluded  that  more  information  should  flow  directly  to  military  personnel 
in  the  field,  who  might  not  always  have  clearance  levels  required  to  handle  classified 
information  or  sensitive  information,  which  is  “....increasingly  defined  by  the  eye  of  the 
beholder Ypp.  4,  24-30).  The  report  recommended  using  an  information  system  based  on 
“...  transactional  risk  —  that  is  the  chance  that  any  given  transaction  will  be  compromised, 
rather  than  on  assigning  a  level  of  classification  to  a  document  based  on  the  potential 
damage  caused  by  disclosure”  (Shaun  Waterman,  “Report:  Govt  Secrecy  Hurting  War 
Fighters,”  JJPL  Dec.  15,  2004). 

91  The  archived  webcast  of  the  Nov.  21,  2005  meeting  is  available  at 
[http://videocast.nih.gov/ram/odll2105.ram].  See  also,  Andrew  J.  Hawkins,  “National 
Biosecurity  Panel  Lays  Groundwork  for  Identifying  Dual-Use  Research,”  Research  Policy 
Alert,  Nov.22, 2005;  Andrew  J.  Hawkins,  “Success  of  Scientist  Code  of  Conduct  Hinges  On 
Education,  Biosecurity  Board  Hears,”  Research  Policy  Alert,  Nov.23,  2005;  and  Eugene 
Russo,  “Biosecurity  Advisory  Board  Reports  Lessons  Learned  From  1918  Flu  Papers,  Aims 
to  Improve  Screening  Process,”  Research  Policy  Alert,  Nov.  23,  2005. 

92  Jacques  S.  Gansler  and  William  Lucyshyn,  The  Unintended  Audience:  Balancing 
Openness  and  Secrecy:  Crafting  an  Information  Policy  for  the  21st  Century,  Center  for 
Public  Policy  and  Private  Enterprise  School  of  Public  Policy,  University  of  Maryland,  Sept. 
2004,  pp.  27,  32. 

93  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  pp.  38-39. 
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When  information  that  could  threaten  the  public  safety  is  easily  accessible  — 
that  is,  when  the  costs  of  obtaining  it  are  low  and  the  convenience  of  using  it  is 
relatively  high  —  this  “work-factor”  for  leveraging  potentially  harmful 
information  provides  a  benchmark  for  determining  whether  information  should 
be  controlled.  While  high-level  descriptions  of  and  mitigations  for  vulnerabilities 
should  be  released  to  inform  and  alert  the  public,  “push-button”  or  “cookbook” 
instructions  on  how  to  do  harm  are  easily  identifiable  and  clearly  should  be 
withheld.  The  amount  of  resources,  including  the  number  of  knowledgeable 
personnel,  needed  to  exploit  vulnerabilities  describes  a  work-factor,  which  is  a 
good,  practical  indicator  of  where  disclosure  borders  on  weaponization.94 

The  report  recommended  that  with  respect  to  “public  sector  information,”  a 
policy  embodying  CUSI  would  “enable  the  sharing  of  sensitive  materials  between 
departments  and  agencies  at  the  federal,  state,  and  local  levels,  as  well  as  with  those 
in  the  private  sector  with  a  need  to  know,”95  and  would  ensure  "...  that  similar 
information  produced  in  different  agencies  is  identified  and  protected  in  the  same 
way”  and  that  FOIA  and  CUSI  guidelines  are  not  in  conflict.”96  DHS,  it  was 
recommended,  should  develop  educational  programs,  government  controls,  and 
voluntary  restraints  to  prevent  the  disclosure  of  information  that  should  not  be 
released.97  Government-defined  policy  controls  should  extend  to  publicly  funded 
private  researchers  and  DHS,  assisted  by  NSF  and  NIH  and  other  agencies,  should 
issue  guidance  to  privately  funded  researchers.  Professional  peer  reviews  would  be 


94  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  pp.  40-42.  The 
following  illustrations  were  given  “[f]or  potential  low-impact  events,  the  most  serious 
threats  are  those  that  are  highly  convenient  and  extremely  low  cost....  Typically,  these 
threats  cause  a  high  level  of  disruption  and/or  annoyance.  An  example  of  such  a  threat 
would  be  contaminating  food  with  bacteria,  similar  to  the  1984  case  where  members  of  a 
religious  cult  sprayed  salmonella  bacteria  on  salad  bars  throughout  the  Oregon  region, 
causing  751  cases  of  food  poisoning....  For  a  potential  medium-impact  event,  those  threats 
that  are  high  in  cost  and  low  in  convenience  warrant  the  least  amount  of  concern.... 
Information  on  agents  that  when  directly  applied  to  fields  would  decrease  crop  yield  without 
completely  destroying  the  harvest  might  fall  into  this  category.  It  would  be  difficult  to 
deliver  such  agents,  and  decreasing  the  yield  for  some  crops  in  the  United  States  might 
succeed  only  in  reducing  the  surplus.  Nearly  all  of  the  threats  of  a  potential  high-impact 
event  should  be  considered  serious,  and  information  related  to  these  threats  should  be 
controlled....  A  grey  area,  where  information  would  have  to  be  carefully  evaluated,  forms 
when  costs  are  high  and  convenience  is  low.  For  example,  information  on  how  to  create 
vaccines  for  highly-communicable  diseases  could  fall  into  this  category,  as  the  method  for 
creating  vaccines  now  in  use  first  increases  the  virulence  of  normal  diseases  and  then  finds 
inhibitors  to  block  or  antibodies  to  combat  the  strongest  variants  of  the  diseases.  Increasing 
controls  significantly  could  slow  the  development  of  preventive  measures,  which,  in  the  end, 
might  cause  more  harm  than  good”  ( The  Unintended  Audience:  Balancing  Openness  and 
Secrecy,  op.  cit.,  pp.  43-44). 

95  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,p.  ii,  p.  33. 

96  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  p.  33. 

97  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  p.  44. 
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conducted  before  publication  of  work  that  might  meet  criteria  for  safeguarding. 
Specifically,98 

[f]  ederally-funded  researchers  should  disclose  potential  security  concerns  in  their 
grant  proposals.  DHS  monitored  review  panels  will  assess  the  security 
implications  of  the  work  with  potentially  significant  negative  impact  in 
accordance  with  established  guidelines.  DHS  should  lead  the  effort  to  develop 
model  review  policies,  encouraging  non-federally-funded  researchers  to  adopt 
them  and  to  submit  their  work  to  the  government-monitored  review  panel  or  an 
independent,  government-certified  review  panel.  DHS  should  also  train 
publishers  to  conduct  reviews  just  before  research  is  made  available  to  serve  as 
a  safety  net  after  research  is  already  completed,  and  publishers  should  implement 
a  two-tiered  publication  scheme  to  restrict  detailed  content  to  premium  access 
where  the  credentials  of  the  readers  can  be  verified.99 

Brian  J.  Gorman  proposed  a  risk-based  alternative  approach  for  prepublication 
peer  review.  He  called  for  a  risk-based  process  called  “Due  Process  Vetting  System” 
(DPVS)  together  with  “...  a  Risk  Assessment  Scale  [RAS]  and  a  Least  Restrictive 
Classification  System  for  the  communication,  assessment,  and  disposition  of 
sensitive  life  science  research  in  a  manner  consistent  with  national  security 
interests.”100  The  aforementioned  reports  proposed  that  researchers  should  self- 
evaluate  the  sensitivity  of  their  work  and  that  self-imposed  professional  association 
or  governmental  constraints,  including  classification,  be  imposed  if  the  information 
could  be  weaponized  and  if  the  consequences  of  its  use  were  high  risk,  but  that  such 
information  should  be  communicated  among  those  with  a  “need  to  know.”101  (This 
proposal  and  others  for  institutional  or  governmental  bodies  to  review  and  approve 
biological  sciences  research  plans  or  publications  are  discussed  below  in  the  section 
“Controls  on  Unclassified  Biological  Research  Information.”) 


98  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  p.  45. 

99  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  pp.  ii-iii. 

100  Brian  J.  Gorman,  “Balancing  National  Security  and  Open  Science:  A  Proposal  for  Due 
Process  Vetting,”  Yale  Journal  of  Law  and  Technology,  2005,  pp.  2,  15. 

101  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit.,  pp.  39-40.  See  also 
J.  Gaudioso  and  R.  M.  “A  Conceptual  Framework  for  Biosecurity  Levels,”  BTR  2004: 
Unified  Science  and  Technology  for  Reducing  Biological  Threats  and  Countering  Terrorism 

—  Proceedings,  Albuquerque,  NM,  March  18-19,  2004,  p.  ii.  As  an  illustration: 
“Restricting  research  and  development  must  rely  on  constraining  knowledge  rather  than 
forbidding  it.  For  example,  such  restrictions  would  control  research  into  the  engineering  of 
viral  factors  that  introduce  animal  pathogens  into  humans  but  would  not  prohibit  it, 
categorically.  Production  refers  to  the  ways  in  which  information  can  be  weaponized,  or 
leveraged  against  the  public.  As  such,  production  restraints  should  entail  issues  similar  to 
ways  of  refining  anthrax  and  ways  of  enriching  uranium.  Although  information  about 
weapons  programs  would  be  classified,  scientific  “know-how”  that  may  be  —  as  in  the  case 
of  bioweapons  —  only  one  step  away  from  implementation  generally  would  not  be 
classified.  Employment  refers  to  final-stage  delivery.  For  example,  issues  of  employment 
may  refer  to  detailed  schematics  on  the  briefcases  used  in  the  Tokyo  sarin  gas  attacks  or 
plans  for  maximizing  the  radiological  contamination  from  a  “dirty  bomb”  (Gaudioso  and 
Salerno,  op.  cit.,  Mar.  18-19,  2004,  p.  28). 
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Mobilizing  Information  to  Prevent  Terrorism:  Accelerating  Development  of  a 
Trusted  Information  Sharing  Environment ,  a  report  by  the  Markle  Foundation  Task 
Force  on  National  Security  in  the  Information  Age,  examined  how  to  reconcile 
national  security  needs  with  civil  liberties  requirements.102  It  sought  to  redress 
problems  with  “current  classification  procedures”  that  frequently  are  “  a  barrier  to 
effective  information  sharing  because  they  overemphasize  the  risks  of  inadvertent 
disclosure  over  those  of  failure  to  share  information.”103  Among  other  things  it 
proposed  use  of  a  “risk  management”  approach  to  classification  that  balances  the 
risks  of  inappropriate  disclosure  with  the  risks  of  failing  to  share  information 


Policies  To  Protect  Specific  Types  of  Sensitive 
Information  Involving  Scientific  and  Technical 

Applications 

Specific  laws  have  been  enacted  and  policies  and  procedures  are  in  varying 
stages  of  implementation  that  define  and  protect  sensitive  unclassified  science-  and 
technology-related  information  in  such  fields  as  critical  infrastructure,  transportation, 
environmental  impacts,  biology,  geospatial  data,  and  DHS  information.  These  and 
criticisms  that  have  been  made  about  them  are  summarized  next. 

Critical  Infrastructure  Information  Controls 

The  need  to  protect  critical  infrastructure  information  is  based  on  the  premise 
that  potential  terrorists  should  not  have  access  to  information  that  might  expose 
vulnerabilities  in,  or  provide  roadmaps  to,  the  nation’s  core  physical  transportation, 
water,  communication,  energy,  and  related  systems,  or  to  major  buildings,  bridges, 
and  other  major  structures.  As  an  example  of  critical  infrastructure  vulnerabilities, 
Charlie  Reeder,  Interagency  Operations  Security  Support  Staff,  DOD,  and  part  of  a 
Pentagon  group  that  represents  the  National  Security  Agency,  Central  Intelligence 
Agency,  Federal  Bureau  of  Investigation,  DOD,  General  Services  Administration, 
and  Department  of  Energy  (DOE),  is  reported  to  have  said  that  ‘“...  he’s  seen 
government  websites  include  maps  of  installations  ...  specifications  of  weapons  and 
communications  systems  ...  and  much  more.  ...  When  we  publish  this  information 
on  the  Internet,  we  might  as  well  fax  it  directly  to  our  adversaries  ...”’104  He  also 
commented  that  ‘“According  to  a  message  sent  by  Secretary  of  Defense  Donald 
Rumsfeld  ...  an  al  Qaeda  training  manual  recovered  in  Afghanistan  states  ‘using 
public  sources  openly  and  without  resorting  to  illegal  means,  it  is  possible  to  gather 


102  Zoe  Baird,  James  Barksdale,  chairmen,  Mobilizing  Information  to  Prevent  Terrorism: 
Accelerating  Development  of  a  Trusted  Information  Sharing  Environment,  Third  Report  of 
the  Markle  Foundation  Task  Force,  2006,  Markle  Foundation,  New  York  City,  93  p. 

103  Markle  Foundation,  “Markle  Task  Force  on  National  Security  in  the  Information  Age 
Releases  Third  Report,  ‘Mobilizing  Information  to  Prevent  Terrorism:  Accelerating 
Development  of  a  Trusted  Information  Sharing  Environment,  ’  “Press  Release,  July  13, 2006. 

104  Stephen  Larsen,  “Secure  Sensitive  Unclassified  Information,”  Pentagram,  Nov.  28, 2003 
http://www.dcmilitary.com/army/pentagram/8_47/commentary/26442-l.html. 
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at  least  80  percent  of  information  about  the  enemy.’”  Open-source  information  can 
be  accessed  through  Internet  sites,  job  announcements,  budget  documents,  and 
newsletters.105  Similarly,  a  survey  by  Computerworlcl  noted  that  “the  widespread 
availability  of  sensitive  information  on  corporate  websites  appears  to  have  been 
largely  overlooked  by  IT  and  security  managers....”106  Among  the  information 
available  on  the  Web  are  “3-D  models  of  the  exterior  and  limited  portions  of  the 
interior  of  the  Citigroup  headquarters  building  in  Manhattan  —  one  of  the  sites 
especially  named  in  the  latest  terror  advisory  issued  by  the  Department  of  Homeland 
Security,”  and  various  similar  kinds  of  information  about  the  building’s  structural 
design  weaknesses. 

In  part  to  cope  with  issues  like  these,  the  “Critical  Infrastructure  Information  Act 
of  2002,”  Title  II  of  P.L.  107-296,  prohibits  disclosure  under  FOIA  of  “critical 
infrastructure  information”  (CII)  relating  to  the  security  of  critical  infrastructure  and 
protected  systems  submitted  to  DHS  voluntarily  by  private  companies.107  Criminal 
penalties  for  disclosure  by  employees  under  this  statute  include  fines,  dismissal,  or 
imprisonment  for  up  to  a  year  (Section  2 14). 108  The  statute  also  provides  for  the 
preemption  of  state  freedom  of  information  laws  regarding  the  public  disclosure  of 
such  information  if  it  is  shared  with  a  state  or  local  government  official  in  the  course 
of  DHS’s  activities.109  The  DOD  issued  a  memo  on  March  25,  2003,  that  applied 
prohibitions  like  those  in  P.L.  107-296  to  critical  infrastructure  information 
voluntarily  submitted  to  DOD.110  On  April  15,  2003,  DHS  published  interim  rules 
to  implement  the  critical  information  infrastructure  protection  provisions  of  P.L.  107- 
296,  which  would  extend  the  rules  to  other  agencies  by  requiring  them  to  pass  to 
DHS  similar  information  that  they  receive.111  On  December  17,  2003,  President 
Bush  issued  Homeland  Security  Presidential  Directive  7  (HSPD-7),  which  among 
other  things,  directed  all  federal  agencies  to  protect  voluntarily  submitted  information 
about  critical  infrastructure  vulnerabilities  in  line  with  Title  II  of  P.L.  107-296. 


105  Larsen,  op.  cit. 

106  “Too  Much  Info  on  Websites,”  SAP  Info,  Sept.  8,  2004. 

107  Sections  21 1-215  of  P.L.  107-296,  codified  as  6  U.S.C.  131-134,  define  the  term  “critical 
infrastructure  information”  to  mean  information  not  customarily  in  the  public  domain  and 
related  to  the  security  of  critical  infrastructure  or  protected  systems.  For  rules,  see  6  C.F.R. 
29.1  and6C.F.R.  29.2. 

108  For  additional  analysis,  see  CRS  Report  RL31547,  op.  cit. 

109  See  also  “Homeland  Security  Law  Contains  New  Exemption  3  Statute,”  FOIA  Post ,  Jan. 
27,  2003. 

110  Memo  from  H.J.  McIntyre  on  “FOIA  Requests  for  Critical  Infrastructure  Information,” 
described  in  Steven  Aftergood,  “DOD  on  Critical  Infrastructure  Info,”  Secrecy  News,  Apr. 
29, 2003,  and  “Efforts  Made  to  Expand  Critical  Infrastructure  Information,”  OMB  Watcher, 
May  5,  2002. 

111  “6  CFR  Part  29,  Procedures  for  Handling  Critical  Infrastructure  Information;  Proposed 
Rule,  Department  of  Homeland  Security,”  Federal  Register,  Apr.  15,  2003,  pp. 
18523-18529.  For  additional  information,  see  CRS  Report  RL30153,  Critical 
Infrastructures:  Background,  Policy,  and  Implementation,  by  John  Moteff. 
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The  DHS  published  an  interim  final  rule  that  established  the  “Protected 
Infrastructure  Information  (PCII)  Program,”  effective  February  18, 2004,  with  public 
comments  allowed  until  May  20,  2004. 112  The  rules  were  amended  and  issued  in  a 
final  regulation  entitled  “Procedures  for  Handling  Protected  Critical  Infrastructure 
Information,”  on  September  1,  2006. 113  The  procedures  govern  the  receipt, 
validation,  handling,  storage,  marking,  and  use  of  critical  infrastructure  information 
voluntarily  submitted  to  the  Department  of  Homeland  Security  and  apply  to  all 
federal,  state,  local,  and  tribal  government  agencies  and  contractors  that  have  access 
to,  handle,  use,  or  store  critical  infrastructure  information. 

CII  information  submitted  to  DHS  is  not  subject  to  disclosure  under  FOIA, 
under  an  exemption  three  category,  established  pursuant  to  section  214  of  the 
Homeland  Security  Act  of  2002, 114  if  it  has  not  been  made  public  previously.115  The 
language  in  P.L.  107-296  protects  only  CII  submitted  to  the  DHS,  but  the  Department 
of  Justice  reports  that  in  the  future,  it  may  be  applied  to  submissions  made  to  other 
federal  agencies.116  (For  additional  information,  see  CRS  Report  RL33670, 
Protection  of  Security-Related  Information,  by  Gina  Marie  Stevens  and  Todd  B. 
Tatelman.) 

Sensitive  Security  Information  Controls:  Transportation 

Both  the  Department  of  Agriculture  (USDA)  and  the  Transportation  Security 
administration  (TSA)  use  the  ternT’sensitive  security  information”  (SSI).  The  use  of 
the  term  in  transportation  is  discussed  in  this  section.117  The  Federal  Aviation 
Administration  (FAA)  had  been  permitted  since  passage  of  the  Air  Transportation 
Security  Act  of  1974* ls  to  issue  regulations  to  protect,  and  to  distribute  to  those  with 


112  The  implementing  regulations  are  contained  in  the  Code  of  Federal  Regulations  (6  CFR 
Part  29).  See  also  Department  of  Homeland  Security,  “DHS  Launches  Protected  Critical 
Infrastructure  Information  Program  to  Enhance  Homeland  Security,  Facilitate  Information 
Sharing,”  Press  Release,  Feb.  18,  2004,  and  attached  information  sheet  “Protected  Critical 
Infrastructure  Information  (PCII)  Program.”  See  the  Federal  Register,  Feb.  20,  2004,  pp. 
8073-8089.  Comments  are  posted  on  the  DHS  website.  See  also  Lucy  A.  Dalglish  and 
Gregg  P.  Leslie,  Flomefront  Confidential :  How  the  War  on  Terrorism  Affects  Access  to 
Information  and  the  Public’s  Right  to  Know,  fifth  ed.,  2004,  pp.  70-71. 

113  Federal  Register,  vol.  71,  no.  170,  Sept.  1,  2006,  pp.  52261-52277. 

114  6  U.S.C.A.  section  133.  See  the  memo  on  “Critical  Infrastructure  Information 

Regulations  Issued  by  DHS,”  FOIA  Post,  Feb.  27,  2004, 

[http://www.usdoj.gov/oip/foiapost/2004foiapost6.htm],  Leslie,  op.  cit.,  and  CRS  Report 
RL30153,  op.  cit. 

115  DHS  press  release,  Feb.  18,  2004,  op.  cit. 

116  “Critical  Infrastructure  Information  Regulations  Issued  by  DHS,”  op.  cit.  2004. 

117  For  a  discussion  of  usage  in  USDA  and  TSA,  see  Appendix  A  to  this  report.  See  also: 
Harold  C.  Relyea,  Security  Classified  and  Controlled  Information:  History,  Status,  and 
Emerging  Management  Issues,  CRS  Report  RL33494. 

118  Air  Transportation  Security  Act  of  1974,  P.L.  93-366,  Section  316,  88  Stat.  409  (1974), 
as  cited  in  CRS  Report  RL32664,  Interstate  Travel:  Constitutional  Challenges  to  the 
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a  “need  to  know,”  sensitive  civil  aviation  security  information  that  was  obtained 
during  security  investigations  or  consisted  of  research  and  development  information 
that  would  invade  privacy,  would  reveal  a  trade  secret  or  financial  or  commercial 
information,  or  would  be  detrimental  to  the  safety  of  persons  traveling  by  air.  “The 
FAA  implemented  this  authority  by  promulgating  regulations,  which,  among  other 
things,  established  a  category  of  information  known  as  Sensitive  Security  Information 
(SSI).  In  1997,  the  Department  of  Transportation  (DOT)  definition  of  SSI  included 
‘records  and  information  ...  obtained  or  developed  during  security  activities  or 
research  and  development  activities.’”119  Subsequently,  this  type  of  information  was 
given  a  statutory  basis  pursuant  to  the  Aviation  and  Transportation  Security  Act,  P.L. 
107-71,  which  created  the  Transportation  Security  Administration  (TSA)  and 
prohibited  disclosure  of  certain  kinds  of  information  relating  to  transportation  if  the 
disclosure  would  be  detrimental  to  the  safety  of  passengers  in  transportation.120  P.L. 
107-296  expanded  this  coverage  to  include  information  detrimental  to  the  “security 
of  transportation.”  As  the  FAA  was  moved  to  the  TSA,  first  located  in  the  DOT  and 
then  to  the  DHS,121  the  SSI  withholding  authority  appears  to  have  been  expanded  to 
include  “all  transportation  related  activities  including  air  and  maritime  cargo, 
trucking  and  freight  transport,  and  pipelines.”122  On  May  18,  2004,  the  DOT  and 
DHS  jointly  promulgated  revised  regulations,123  which,  “adopt  the  Homeland 
Security  Act  language  as  the  definition  of  SSI.  In  addition,  the  new  regulations 
incorporate  former  SSI  provisions,  including  the  sixteen  categories  of  information 
and  records  that  constitute  SSI.”124  SSI  information  is  defined  by  statute  (49  U.S.C. 
section  114  (s))  and  an  implementing  regulation  (49  C.F.R.  part  1520)125  as 

(1)  Security  programs  and  contingency  plans  ...  issued,  established,  required, 
received,  or  approved  by  DOT  or  DHS....  (2)  Security  Directives....  (3) 

Information  Circulars  ...  issued  by  DHS  or  DOT  regarding  a  threat  to  aviation  or 
maritime  transportation....  (4)  Performance  specifications....  (5)  Vulnerability 
assessments....  (6)  Security  inspection  or  investigative  information....  (7)  Threat 


118  (...continued) 

Identification  Requirement  and  Other  Transportation  Security  Regulations ,  by  Todd  B. 
Tatelman. 

119  According  to  Tatelman,  op.  cit.,  codified  at  14  C.F.R.  §  191.1  (1997). 

120  Created  pursuant  to  the  Aviation  and  Transportation  Security  Act  (ATSA),  P.L.  107-71, 
section  101  (e)(3),  1 15  Stat.  597,  603  (2002). 

121  For  detailed  history  of  the  laws  and  regulations  that  govern  SSI  and  transportation,  see 
CRS  Report  RL32664,  op.  cit.,  and  CRS  Report  RL32425,  Sensitive  Security  Information 
and  Transportation  Security:  Issues  and  Congressional  Options ,  by  M.A.  Sollenberger. 

122  CRS  Report  RL32664,  op.  cit. 

123  See  also  “Protection  of  Sensitive  Security  Information,  Transportation  Security 
Administration  (TSA),  DHS,  and  Office  of  the  Secretary  of  Transportation  (OST),  DOT.” 
Federal  Register ,  May  18,  2004  (v.  69,  no.  96),  pp.  28066-28086.  (DOT,  Office  of  the 
Secretary  of  Transportation,  49  CFR  Part  15;  Department  of  Homeland  Security, 
Transportation  Security  Administration,  49  CFR  Part  1520.) 

124  Tatelman,  op.  cit.,  pp.  3-4.  See  the  original  for  footnotes  to  this  quotation. 

125  Report  Pursuant  to  Section  893,  not  dated  but  reportedly  sent  to  the  committee  chairmen 
in  February  2004,  p.  5,  op.  cit. 
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information....  (8)  Security  measures....  (9)  Security  screening  information.... 

(10)  Security  training  materials....  (11)  Identifying  information  of  certain 
transportation  security  personnel....  (12)  Critical  aviation  or  maritime 
infrastructure  asset  information....  (13)  Systems  security  information...  (14) 
Confidential  business  information....  (15) ...  Information  obtained  or  developed 
in  the  conduct  of  research  related  to  aviation  or  maritime  transportation  security 
activities,  where  such  research  is  approved,  accepted,  funded,  recommended,  or 
directed  by  the  DHS  or  DOT,  including  research  results...  (16)  Other 
information.... 

This  information,  like  CII  information,  was  also  designated  as  exempt  from 
disclosure  under  FOIA  (49  U.S.C  sec  40119(b)  (1))  under  exemption  3,  which 
permits  the  withholding  of  information  protected  by  other  statutes,  has  use  limitations 
for  sharing  with  state  or  local  governments,  and  imposes  criminal  penalties  on  federal 
officers  or  employees  who  disclose  such  information.126 

Critique  of  SSI  Rules.  Terrorists  have  capitalized  on  vulnerabilities  in 
national  and  foreign  transportation  systems  several  times  since  2001.  Nevertheless, 
some  critics  charge  that  too  much  transportation-related  information  is  being 
withheld  from  public  access.  Many  of  the  criticisms  of  SSI  rules  focus  on  the  alleged 
consequences  of  preventing  the  public  from  accessing  information  that  might  be  used 
to  promote  safety  or  be  used  in  citizen  oversight.  For  instance,  some  aircraft 
personnel  and  consumer  advocates  say  that  TSA’s  use  of  SSI  can  “muzzle  debate  of 
security  initiatives  and  insulate  TSA  from  criticism.”127  The  newsletter  OMBWatch 
reported  that  the  TSA  has  denied  access  to  information  when  “reasonable  access  to 
it  could  improve  safety  conditions  for  communities  and  workers.”128  Examples 
include  TSA  denying  pilots  access  to  information  to  comply  with  TSA  regulations 
to  avoid  flying  near  nuclear  power  plants,  disagreeing  with  TSA’s  views  that 
information  on  such  sites  compiled  from  public  data  by  the  Aircraft  Owners  and 
Pilots  Association  should  be  labeled  SSI  and  not  be  made  available,  and  denying  the 
District  of  Columbia  government  access  to  information  to  help  them  determine  if 
trains  carrying  chlorine  through  D.C.  should  be  rerouted.  The  Coalition  of 
Journalists  for  Open  Government  (CJOG),  a  group  of  journalist  advocacy 
organizations,129  in  a  filing  on  July  16,  2004,  in  response  to  regulations  jointly  filed 


126  See  CRS  Report  RL32597,  Information  Sharing  for  Homeland  Security:  A  Brief 
Overview,  by  Harold  C.  Relyea  and  Jeffrey  W.  Seifert. 

127  Secrecy  in  the  Bush  Administration,  by  U.S.  House  of  Representatives,  Committee  on 
Government  Reform  —  Minority  Staff  Special  Investigations  Division  Prepared  for  Rep. 
Henry  A.  Waxman,  Sept.  14,  2004,  p.  54.  Tim  Starks,  “A  Fine  Mess:  TSA’s  New 
Information  Security  Rules  Leaves  Stakeholders  Confused,”  CQ  Homeland  Security,  July 
21,2004. 

128  “Transportation  Agency  Hides  Vital  Data  ‘Sensitive  Security  Information,”’  OMB  Watch, 
Apr.  4,  2005. 

129  Composed  of  American  Society  of  Newspaper  Editors;  Associated  Press  Managing 
Editors;  Committee  of  Concerned  Journalists;  National  Association  of  Science  Writers; 
Newspaper  Association  of  America;  Reporters  Committee  for  Freedom  of  the  Press; 
Radio-Television  News  Directors  Association;  Society  of  Professional  Journalists;  Society 
of  Environmental  Journalists. 
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by  the  Department  of  Transportation  and  the  Transportation  Security 
Administration,130  said 

[The]  ...  unrestricted  use  of  the  ...  (SSI)  designation  ...  will  have  a  seriously 
adverse  impact  on  traditional  citizen  and  media  oversight  of  the  governance  of 
our  seaports,  airports  and  transit  systems....  There  appear  to  be  no  limits  to  the 
type  of  information  that  might  be  gathered  or  generated  as  SSI  and  then  sealed. 

Local  and  state  officials,  bound  by  non-disclosure  agreements,  may  be  forced  to 
deny  access  to  records  that  state  law  and  local  ordinance  require  be  made 
available  to  citizens.  Information  needed  by  civic  activists  or  organizations  to 
maintain  oversight  and  challenge  local  officials  on  their  management  of  public 
facilities  may  be  withheld,  even  when  the  information’ s  relevance  to  any  possible 
terrorist  threat  is  at  best  tenuous.  131 

In  the  same  document,132  the  CJOG  recommended  that  federal  agencies  should 
preserve  public  access  to  what  it  calls  “critical  oversight  information”  (COI)  —  “any 
information  a  citizen  might  use  to  judge  whether  his  or  her  public  servants  are 
serving  well,”  information  “that  speaks  to  the  quality  and  integrity  of  their 
performance  as  policy  makers,  managers  or  employees  of  our  seaports,  airports  and 
transit  systems,”  including  budget  information  and  details  on  revenue  and  spending 
and  information  about  personnel  and  their  qualifications,  training,  and 
performance.133 

Various  courts  have  ruled  on  the  interpretation  of  the  SSI  regulations.134 

Controls  on  Environmental  Impact  Information 

Controls  on  environmental  impact  information  are  premised  on  the  need  to 
protect  internal  agency  decision  making  procedures  and  to  control  access  to 
information  that  terrorists  might  use  to  harm  critical  infrastructures,  deliver  services, 
or  poison  the,  air,  water,  and  so  forth.  The  actions  discussed  next  represent  steps  that 
have  been  taken  to  safeguard  public  access  to  environmental  information. 

The  Department  of  Homeland  Security  (DHS)  expanded  its  ability  to  withhold 
certain  types  of  environmental  impact  information  that  previously  was  available  to 


130  See  also  “Press  Coalition  Defends  Access  to  “Critical  Oversight  Info,”  Secrecy  News, 
July  19,  2004. 

131  Pete  Weitzel,  “Comments  of  the  Coalition  of  Journalists  for  Open  Government  (CJOG), 
Before  The  Department  of  Transportation  and  the  Transportation  Security  Administration, 
In  the  Matter  of  Protection  of  Sensitive  Security  Information,”  RIN  1652  AA08  Docket  # 
TSA  2003-15569. 

132  These  comments  were  made  in  a  filing  by  CJOG  and  nine  of  its  member  organizations 
on  July  16, 2004,  in  response  to  regulations  jointly  filed  by  the  DOT  and  the  TSA  involving 
the  designation  and  disclosure  of  information  designated  as  Sensitive  Security  Information. 

133  Weitzel,  CJOG,  op.  cit. 

134  See,  Stevens  and  Tatelman,  CRS  Report  RL33670,  op.  cit.,  pp.  19-26. 
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the  public  pursuant  to  the  National  Environmental  Policy  Act  (NEPA).135  On  June 
14,  2004,  DHS  issued  a  directive  proposing  new  categorical  exclusions  to  disclosure 
requirements  under  FOIA  for  assessments  of  environmental  impacts  of  DHS  decision 
making  and  included  component  DHS  agencies  in  the  categorical  exclusions 
policy.136  The  directive  specified  three  levels  for  projects  or  grants  that  might  have 
environmental  impacts:  “those  affecting  national  security  that  are  categorically 
excluded  from  coverage  under  NEPA;  those  that  require  DHS  agencies  to  conduct 
environmental  assessments;  and  those  with  the  greatest  potential  to  affect  natural 
resources  and  the  environment,  which  would  require  more  detailed  environmental 
impact  statements.”  Specifically,  EPA  allows  categorical  exclusions  for  “actions  that 
...do  not ...  have  significant  impact  on  the  human  environment,  and  therefore  ...  do 
not  require  an  environmental  assessment ...  or  environmental  impact  statement....” 
(40  C.F.R.  1500-1508.) 

Some  of  the  agencies  that  were  transferred  to  DHS  had  previously  identified 
such  exclusions.  In  addition,  the  directive  exempted  all  DHS  agencies 
(Transportation  Security  Administration,  Coast  Guard,  Border  Patrol,  FEMA  and 
others)  from  releasing  classified,  proprietary,  or  other  information  exempt  from 
disclosure  under  FOIA,  and  proposed  to  exempt  critical  infrastructure  information, 
sensitive  security  information,  and  other  information  described  in  “laws,  regulations, 
or  Executive  Orders  prohibiting  or  limiting  the  release  of  information.”137  Some  say 
this  could  exclude  from  public  view  environmental  impact  statements  required  by 
NEPA.  In  its  Federal  Register  announcement,  DHS  said  that  it  would  place 
protected  information  prepared  for  compliance  with  NEPA  into  appendix  sections 
for  viewing  only  by  decision  makers,  but  would  allow  the  public  to  view  nonsensitive 
portions  of  the  material.  However,  it  added  “...if  segregation  would  leave  essentially 
meaningless  material,  the  DHS  elements  will  withhold  the  entire  NEPA  analysis 
from  the  public.”  The  plan  also  would  allow  DHS  to  categorize  some  environmental 
reviews  as  “sensitive  security  information”  or  “critical  infrastructure  information” 
exempt  from  public  disclosure.  The  public  comment  period  was  for  one  month  and 
then  was  extended  to  August  16,  2004.  DHS  held  a  meeting  on  October  12,  2004  to 
discuss  public  comments  received.138  On  April  4,  2006,  DHS  published  a  final  rule. 
On  this  topic  EPA  responded  to  public  comments  by  empaneling  a  group  to  examine 
release  of  environmental  review  information  and  concluded  that  it  would  permit 
environmental  review  information  that  is  not  withheld  according  to  statute  to  be 
made  accessible  to  the  public  pursuant  to  FOIA.139 


135  42  U.S.C.  Section  5321  et.  seq. 

136  DHS,  “Proposed  Management  Directive  5100.1,  Environmental  Planning  Program,” 
Federal  Register,  v.  69,  no.  33043-  33066.  June  14,  2004. 

137  Federal  Register,  June  14,  2004,  op.  cit.,  p.  33063. 

138  Management  Draft  Management  Directive  5100.1,  Environmental  Planning  Program 
Meeting  Minutes,  Subject:  Draft  Environmental  Directive  for  the  Department  of  Homeland 
Security  (DHS)  Meeting:  October  12,  2004,  at  [http://www.dhs.gov/dhspublic/interapp 
/editorial/editorial_05 2 8 .  xml] . 

139  Section  “9.  Appendix  A,  Section  6.2,  Classified  or  Protected  Information”  in 
“Department  of  Homeland  Security,  Environmental  Planning  Program,  Notice  of  Final 
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A  2005  supplemental  appropriations  bill  (H.R.  1268),  enacted  as  P.L.  109-13, 140 
exempted  the  DHS  from  certain  legal  requirements  when  physically  securing  U.S. 
borders.  Some  contend  that  this  may  enable  DHS  to  waive  environmental  protection 
laws,  among  others,  relating  to  border  security.141 

Critiques  of  Controls  on  Environmental  Information.  Some  critics 
allege  that  these  types  of  policies,  including  SBU  information  control  policies, 
conflict  with  the  environmental  quality  laws  of  the  1970s  and  the  Emergency 
Planning  and  Community  Right-To-  Know  Act  of  1986  (42  U.S.C.  1 1049).  Critics 
of  regulations  limiting  access  to  some  critical  infrastructure  information  focus  on 
their  preemption  of  state  and  local  disclosure  laws  and  the  inability  of  citizens  to 
obtain  information  needed  to  ensure  community  safety.142  Several  environmental 
groups  have  criticized  controls  on  environmental  information,  saying  too  much  is 
being  withheld  by  EPA  and  DHS  pursuant  to  its  DHS  environmental  directive 
released  on  June  14,  2004.  The  Natural  Resources  Defense  Council  charged  that 


139  (...continued) 

Directive,”  Federal  Register,  vol.  71,  no.  64,  April  4,  2006,  pp.  16790-16820. 

140  According  to  Sec.  102  of  P.L.  109-13:  “Waiver  of  Legal  Requirements  Necessary  for 
Improvement  of  Barriers  at  Borders;  Federal  Court  Review,”  Section  102(c)  of  the  Illegal 
Immigration  Reform  and  Immigrant  Responsibility  Act  of  1996  (8  U.S.C.  1103  note)  is 
amended  to  read  as  follows:  “...  Notwithstanding  any  other  provision  of  law,  the  Secretary 
of  Homeland  Security  shall  have  the  authority  to  waive  all  legal  requirements  ...  [he] 
determines  necessary  to  ensure  expeditious  construction  of  the  barriers  and  roads  under  this 
section....  Any  such  decision  by  the  Secretary  shall  be  effective  upon  being  published  in  the 
Federal  Register 

141  “Homeland  Security  Wins  Power  to  Waive  All  Law,”  OMB  Watch,  Feb,  2005. 

142  Reportedly,  once  submitted  to  DHS,  “information  that  is  designated  CII  is  not  merely 
exempt  from  public  disclosure.  It  can’t  be  disclosed  to  any  government  official  except  for 
national  security  purposes.  Nor  can  it  be  used  in  court.  That  means  a  company  could  tell  the 
Department  of  Homeland  Security  about  an  eroding  chemical  storage  tank  on  the  bank  of 
a  river,  but  DHS  could  not  disclose  that  information  to  the  public  or  even  to  the 
Environmental  Protection  Agency.  And  if  there  were  a  spill ... ,  the  information  given  DHS 
couldn’t  be  subpoenaed  in  a  law  suit.  No  one  knows  just  what  that  will  mean  in  practice, 
but  the  concern  is  palpable”  (Pete  Weitzel,  “A  Skip  Through  the  Rabbit  Hole,”  The 
American  Editor  [American  Society  of  Newspaper  Editors],  May-June-July  2004). 

Problems  were  reported  by  a  community  group  working  with  the  Project  on 
Government  Oversight  (POGO)  “to  track  drinking  water  supplies  contaminated  with 
perchlorate,  a  rocket  fuel  that  causes  developmental  problems  in  children.  After  9/11,  the 
Army  refused  to  share  critical  information  with  the  community  groups,  including  maps  of 
drinking  water  test  wells.  What  confused  community  groups  the  most  was  the  fact  that  these 
maps  were  already  shared  publicly  —  but  the  Army  refused  to  acknowledge  them  and 
claimed  they  were  ‘sensitive’  information  not  for  public  release.  The  community  group 
refused  to  back  down  and  is  now  suing  the  Army  for  information  under  an  environmental 
law  that  gives  community  groups  the  right  to  be  informed  about  toxic  chemical  threats” 
(“Fighting  Secrecy  —  And  Winning,”  OMB  Watch,  Feb.  23, 2004.  For  additional  examples 
of  the  issue  of  SBU  in  the  environmental  area,  see,  Richard  Dahl,  “Does  Secrecy  Equal 
Security?”  Environmental  Health  Perspectives,  Feb.  2004,  pp.  A104-A107).  See  also 
regarding  withholding  of  flood  inundation  maps,  Gregg  Sangillo,  “Groups  Raise  Concerns 
About  Increased  Classification  of  Documents,”  GovExec.com,  Oct.  27,  2004. 
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because  the  agencies  subsumed  by  DHS  make  environmentally  related  decisions 
relating  to  oil  spills,  border  security,  flood  planning,  and  chemical  plant  security,  and 
so  forth,  communities  should  be  given  an  opportunity  to  evaluate  these  decisions.143 
In  addition,  some  agencies  label  environmental  impact  statements  as  SBU,  saying 
that  they  should  be  released  only  to  those  who  have  a  “need  to  know.”  Some 
agencies  post  environmental  impact  materials  on  the  Internet  with  blacked-out 
markings  for  what  appears  to  be  locational  or  infrastructure  details. 144  Other  agencies 
have  published  documents  and  put  SBU  information  into  a  separate  appendix, 
available  under  controlled  access.  Generally,  because  of  “security  sensitivity,”  most 
DOE  environmental  assessment  documents  are  not  available  to  the  public  online  but 
may  be  accessible  via  hardcopy  in  NEPA  reading  rooms  if  the  requestor  qualifies.145 
Other  examples  have  been  cited  of  agencies  withholding  or  controlling  information 
that,  reportedly,  prevents  informing  the  public  of  environmental  and  other  hazards. 146 

The  American  Library  Association  (ALA)  proposed  that,  with  respect  to 
environmental  information,  DHS  should  limit  “its  non-disclosure  provision  to 
information  that  unambiguously  qualifies  for  withholding  under  one  of  the 
exemptions  provided  in  the  Freedom  of  Information  Act....”147  It  contended  that  the 
provision  allowing  DHS  to  withhold  “essentially  meaningless”  information  not  now 
subject  to  exemption  from  disclosure  should  be  deleted  since  Congress  intended  the 
public  to  determine  what  information  is  meaningful  in  the  environmental  statements. 
OMB  Watch  concurred:  “There  are  no  procedures  contained  in  the  directive  for  how 
DHS  will  determine  which  pieces  of  environmental  analysis  to  remove  if  it  falls 
within  an  exemption,  or  how  it  will  determine  if  the  public  finds  the  information 
meaningful.”148 


143  National  Resources  Defense  Council,  Comments  to  Proposed  Management  Directive 
5100.1,  Environmental  Planning  Program,  July  14,  2004,  as  cited  in  Secrecy  in  the  Bush 
Administration,  op.  cit..  Sept.  14,  2004,  p.  56.  See  also  regarding  access  to  maps  locating 
perchlorate  plumes,  “Post  9-11  Secrecy  Hits  Homer  in  Aberdeen  Maryland,”  Release 
prepared  by  the  Working  Group  on  Community  Right-to-Know,  Jan.  29,  2004. 

144  See,  for  instance,  U.S.  Department  of  Energy,  Environmental  Assessment  For  the 
Strategic  Petroleum  Reserve  West  Hackberry  Facility  Raw  Water  Intake  Pipeline 
Replacement  Cameron  and  Calcasieu  Parishes,  Louisiana,  DOE/EA-1497 
[http://www.eh.doe.gov/nepa/ea/EA1497/EA-1497.pdf]  and  “NRC  Censors  Environmental 
Impact  Statement, Watch,  Jan.  24,  2005. 

145  Source:  [http://www.eh.doe.gov/nepa/documents.html]. 

146  See  for  instance,  Lance  Gay,  “Government  Withholds  ‘Sensitive-but-Unclassified’ 

Information,”  Scripps  Howard  News  Service,  Feb.  2,  2006 

[http://www.shns.com/shns/g_mdex2.cfm?action=detail&pk=UNCLASSIFIED-02-02-06]. 

147  Emily  Sheketoff,  American  Library  Association,  Letter  “Re:  Department  of  Homeland 
Security’s  Proposed  Management  Directive  5100.1,  Environmental  Planning  Program,” 
Aug.  16,2004. 

148  “DHS  Seeks  Exemptions  From  Public  Disclosure  Requirements,”  OMB  Watcher,  July 
29,  2004.  See  also,:  Mike  Ferullo,  “Groups  Wary  of  Homeland  Security  Plan  Exemptions 
Some  Environmental  Reviews,”  Daily  Report  for  Executives,  July  16,  2004,  p.  A-21. 
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Illustration  of  Complexity  of  the  Issue:  the  Nuclear  Regulatory 
Commission  (NRC).  The  complexity  of  balancing  access  to,  and  protection  of, 
information  is  illustrated  by  actions  taken  by  the  Nuclear  Regulatory  Commission 
(NRC).  In  August  2004,  the  agency  issued  a  statement  that  “certain  security 
information  formerly  included  in  the  Reactor  Oversight  Process  will  no  longer  be 
publicly  available.”149  Its  efforts  to  “scrub  “  its  website  while  balancing  public  access 
and  information  security  generated  public  criticism  that  NRC  withheld  information 
relevant  to  the  safety  of  surrounding  residents  but  shared  such  information  with 
power  companies  and  industrial  lobbying  groups.  The  NRC  also  allegedly  threatened 
criminal  prosecution  for  persons  who  published  critiques  of  two  nuclear  reactors  in 
Indian  Point,  New  York,  even  though  the  NRC  is  reported  to  have  said  it  could  not 
specify  what  information  was  compromised.150  In  the  fall  2004,  some  “...  news  and 
watchdog  organizations  pointed  out  that  some  sensitive  documents  in  the  [NRC 
online]  library  could  be  used  by  terrorists”;  the  NRC  subsequently  closed  major 
portions  of  the  library  and  reviewed  items  it  contained.151 

Representative  Edward  J.  Markey,  a  senior  minority  member  of  the  House 
Committee  on  Energy  and  Commerce,  wrote  to  the  NRC,  requesting  that  its  inspector 
general  investigate  the  agency’s  information  release  policies  and,  specifically, 
concerns  about  the  NRC  “improperly  restricting  access  to  specific  documents  that 
should  be  releasable  from  a  security  perspective  but  are  nevertheless  being  withheld 
from  public  release.”  152  He  cited  the  agency’s  proposals  to  widen  its  definition  of 
“proprietary  information”  to  withhold  more  public  information  and  to  broaden 
restrictions  on  the  dissemination  of  sensitive  information  to  include  emergency 
evacuation  plans  and  safety  analyses  concerning  the  protection  of  nuclear  materials; 
its  actions  to  withhold  an  unclassified  version  of  an  NAS  report  allegedly  because  the 
NRC  disagreed  with  its  findings;  and  the  agencies’  prohibitions  on  non-industry 
representatives  attending  meetings  and  having  information,  even  though  industrial 
representatives  were  given  access.  In  June  2005,  the  Nuclear  Regulatory 
Commission  announced  it  would  restore  viewing  on  the  web  to  more  than  70,000 
documents,  after  reviewing  them  for  “sensitive  security  information.”153  An  NRC 


149  “NRC  Modifies  Availability  of  Security  Information  From  All  Nuclear  Plants”  NRC 
News,  Aug.  4,  2004  (No.  04-091). 

150  R.  Jeffrey  Smith,  “Nuclear  Security  Decisions  Are  Shrouded  in  Secrecy,  Agency 
Withholds  Unclassified  Information,”  Washington  Post,  May  29,  2004,  p.  A21. 

151  “NRC  Initiates  Additional  Security  Review  of  Publicly  Available  Documents; 
Temporarily  Suspends  Agency’s  On-Line  Library,”  NRC  News,  Oct.  25,  2004,  No.  04-135; 
Sean  Madigan,  “Documents  Return  to  Online  Nuclear  Regulatory  Library  After  Terror 
Review,”  CQ  Homeland  Security,  Nov.  17,  2004.  These  were  identified  as  such  things  as 
floor  plans  for  university  laboratories  giving  the  location  of  equipment  that  uses  nuclear 
materials  and  of  storage  facilities  for  them.  (See,  for  example,  M.  Ahlers,  “Blueprints  for 
Terrorists?  Sensitive  Nuclear  Info  Ends  Up  on  NRC  Web  Site,”  CNN. Com  at 
[http://www.cnn.com/2004/US/f0/f9/terror.nrc/index.html]). 

152  Letter  from  Rep.  Edward  J.  Markey  to  Hubert  T.  Bell,  Inspector  General,  U.S.  Nuclear 
Regulatory  Commission,  Mar.  21,  2005. 

153  Sean  Madigan,  “Nuclear  Documents  Back  Online,”  CQ  Homeland  Security,  June  10, 
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task  force  concluded  that  the  agency  could  withhold  information  that  could  be 
deemed  useful  to  terrorists  if  the  information  were  not  already  available  to  the  public 
pursuant  to  its  new  Sensitive  Information  Screening  Project,  but  FOIA  principles 
needed  to  be  followed  to  withhold  information.  The  task  force  identified  the  precise 
kinds  of  information  that  could  be  withheld  under  the  various  FOIA  exemptions.154 

Also  during  this  time  period,  the  National  Academies  released  an  unclassified 
version  of  a  report,  that  included  among  its  findings  that  the  commission’s  security 
restrictions  on  the  sharing  of  information  with  industry  and  the  public  negatively 
affected  “constructive  feedback  and  cooperation.  The  committee  recommended  that 
the  ...  NRC  improve  the  sharing  of  pertinent  information  on  its  security  analyses  of 
spent  fuel  storage  with  nuclear  power  plants  operators  and  system  vendors.  More 
constructive  interaction  with  the  public  and  with  independent  analysts  also  could 
increase  confidence  in  ...  NRC  and  industry  decisions  and  their  actions  to  reduce  the 
vulnerability  of  spent  fuel  storage  to  terrorist  attacks.”155 

Controls  on  Unclassified  Biological  Research  Information 

Traditionally,  open  communication  of  biological  information  fosters  the  conduct 
of  research  and  development.  Also,  emergency  preparedness  requires  exchange  of 
information  to  inform  local  health  officials  “...  of  what  agents  are  being  studied  in 
their  jurisdictions  so  they  can  prepare  for  any  unlikely  future  events.”156  However, 
some  biological  information  and  data  could  pose  a  domestic  or  international  security 
threat,  which  has  led  to  federal  controls.157  For  instance,  a  2006  National  Academies 
report  described  a  variety  of  biotechnology  agents  and  specific  genetic  advances  that 
could  be  used  in  research  and  could  increase  the  potential  for  biowarfare.158  It  also 
inventoried  some  dual-use  biological  agents  and  research  developments  that  could 


153  (...continued) 

2005.  For  original  wording,  see  “NRC  TaskForce  Report  on  Public  Disclosure  of  Security- 
Related  Information,”  Nuclear  Regulatory  Commission,  May  18,  2005,  approved  June  30, 
2005.  [http://www.fas.org/sgp/othergov/nrc-disc.pdf]. 

154  “NRC  Task  Force  Report  on  Public  Disclosure  of  Security-Related  Information,”  NRC, 
May  18,  2005,  approved  June  30,  2005,  originally  cited  in  “NRC  Adopts  Policy  on 
Disclosure  of  Security  Information,”  Secrecy  News,  Aug.  16,  2005, 

155  “Spent  Fuel  Stored  in  Pools  at  Some  U.S.  Nuclear  Power  Plants  Potentially  at  Risk  From 
Terrorist  Attacks;  Prompt  Measures  Needed  to  Reduce  Vulnerabilities,”  NAS  Press  Release, 
April  6, 2005.  See  also”Secrecy  Impedes  Security,  National  Academy  Says,”  Secrecy  News, 
Apr.  8,  2005;  and  the  NAS  report:  Safety  and  Security  of  Commercial  Spent  Nuclear  Fuel 
Storage:  Public  Report,  by  Committee  on  the  Safety  and  Security  of  Commercial  Spent 
Nuclear  Fuel  Storage,  National  Academy  of  Sciences  Press,  2005. 

156  “Laura  H.  Kahn,  “Biodefense  Research:  Can  Secrecy  and  Safety  Coexist?”  Biosecurity 
and  Bioterrorism:  Biodefense  Strategy,  Practice  and  Science,  vol.  3,  no.  2,  2004,  p.  4. 

157  For  additional  information,  see  CRS  Report  RL31695,  Balancing  Scientific  Publication 
and  National  Security  Concerns:  Issues  for  Congress ,  by  Dana  Shea. 

158  Committee  on  Advances  in  Technology  and  the  Prevention  of  Their  Applications  to  Next 
Generation  Biowarfare  Threats,  Globalization,  Biosecurity,  and  The  Future  of  the  Life 
Sciences,  National  Academies  Press,  2006,  pp.  39-40. 
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be  used  malevolently.  For  example,  “The  same  reverse  genetic  technologies  that  can 
be  used  to  develop  new  vaccines  against  RNA  viruses  could  also  be  used  to  construct 
modified  viruses,  including  possibly  viruses  that  express  heterologous  virulence 
factors  that  result  in  more  lethal  disease.”159  Ominously,  it  observed  that 

[in]  the  past,  dual-use  concerns  have  focused  on  pathogens  and  on  the  challenges 
associated  with  controlling  dangerous  pathogens.  As  already  emphasized,  this 
committee’s  deliberations  have  indicated  that  the  problem  will  be  far  broader  and 
more  profound  in  the  future.  For  example,  advances  in  neurobiology  may  make 
it  possible  to  manipulate  behavior  and  thought  processes,  while  gene  expression 
technologies  just  now  coming  to  fruition  will  make  it  possible  to  activate 
endogenous  molecules  in  the  body  —  with  possibly  wide  ranging  and  everlasting 
effects.  Advances  in  synthetic  biology  and  nanotechnology  will  offer  similar 
rich  opportunities  for  dual  use.  Nanodevices  that  may  be  used  to  unplug  blocked 
arteries  could  instead  be  employed  to  interfere  with  circulatory  function. 
Advanced  drug  delivery  technologies  and  pharmacogenomics  knowledge  could 
be  used  to  develop  and  deliver  with  greater  efficiency  new  bioweapons,  perhaps 
even  selectively  targeting  certain  racial  or  ethnic  groups.”160 

To  deal  with  concerns  like  these,  some  types  of  biological  sciences  information 
have  already  been  controlled  and  proposals  have  been  made  to  develop  other  types 
of  governmental  or  nongovernmental  systems  to  control  access  to  information  before 
research  is  conducted  or  in  the  prepublication  phase.  These  proposals,  which  are 
discussed  next,  are  not  without  controversy. 

The  federal  government’s  regulation  requiring  the  registration  of  laboratories 
that  transferred  certain  “select  agents”  —  organisms  and  toxins  identified  by  the 
Centers  for  Disease  Control  and  Prevention  (CDC)  as  potentially  useful  in 
bioterrorist  activities  — began  in  1996. 161  Registration  of  laboratories  that  possess 
such  agents  was  mandated  by  P.L.  107-188,  “The  Public  Health  Security  and 
Bioterrorism  Preparedness  and  Response  Act  of  2002,”  enacted  after  the  9/11  attacks. 
The  law  requires  coordination  between  the  Department  of  Health  and  Human 
Services  (DHHS)  and  the  Department  of  Agriculture  (USDA)  to  identify  and  regulate 
the  use  and  transfer  of  such  agents  that  pose  a  risk  to  public  health,  crops  or 
livestock;  registration  of  all  facilities  that  use  such  agents;  minimum  safety 
requirements  for  registered  facilities;  background  screening  of  persons  using  such 
agents;  and  a  national  database  of  such  users.  The  USA  PATRIOT  Act,  P.L.  107-56 
prohibits  access  to  select  agents  by  certain  persons,  including  certain  immigrants,  and 
persons  with  criminal  or  drug  use  history  and  other  factors.  Interim  final  regulations 
implementing  these  laws  were  issued  in  December  2002. 162 


159  Globalization,  Biosecurity,  and  The  Future  of  the  Life  Sciences,  op.  cit.,  p.  53. 

160  Globalization,  Biosecurity,  and  The  Future  of  the  Life  Sciences,  op.  cit.,  p.  55. 

161  Pursuant  to  the  Antiterrorism  and  Effective  Death  Penalty  Act  of  1996  (P.L.  104-132). 
For  further  information  on  this  and  subsequent  activity,  see  CRS  Report  RL31719,  An 
Overview  of  the  U.S.  Public  Health  System  in  the  Con  text  of  Emergency  Preparedness,  by 
Sarah  A.  Lister. 

162  The  DHHS  regulation  is  codified  at  42  CFR  Section  73.0,  and  the  USDA  regulation  at 
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National  Science  Advisory  Board  for  Biosecurity.  A  National  Academy 
of  Sciences  (NAS)  report,  Biotechnology  Research  in  an  Age  of  Terrorism: 
Confronting  the  “ Dual  Use ”  Dilemma,  published  in  2004  and  dubbed  the  “Fink” 
report  after  the  committee  chairman,  called  for  greater  self-regulation  by  scientists, 
use  of  institutional  biosafety  committees  at  academic  and  research  institutions  to 
monitor  research  that  could  possibly  aid  terrorism,  NIH  review  of  certain  types  of 
research  reports  before  they  are  published,  and  use  of  screening  criteria  in  a 
prepublication  review.  Regarding  private  scientific  publishing,  the  Fink  report 
largely  left  it  up  to  journal  publishers  to  make  decisions  about  prepublication  review 
procedures  for  articles  involving  biological  agents.  The  Fink  report  also  urged 
creation  of  a  new  federal  advisory  board  to  guide  nongovernmental  researchers  and 
to  develop  responsibility  among  scientists  to  control  flows  of  biodefense  information. 
But  it  did  not  propose  governmental  control  of  such  research. 

In  March  2004,  the  DHHS  announced  its  intent  to  create  a  National  Science 
Advisory  Board  for  Biosecurity  (NS ABB),  which  became  funded  in  2005.  It  is 
managed  and  staffed  by  the  National  Institutes  of  Health  (NIH).  The  NS  ABB  is 
chartered  to  have  25  voting  nongovernmental  members  with  a  broad  range  of 
expertise  in  molecular  biology,  microbiology,  infectious  diseases,  biosafety,  public 
health,  veterinary  medicine,  plant  health,  national  security,  biodefense,  law 
enforcement,  scientific  publishing,  and  related  fields.  The  NSABB  also  includes 
nonvoting  ex  officio  members  from  15  federal  agencies  and  departments.  It  is 
supposed  to  advise  federal  departments  and  agencies  regarding  oversight  of  dual-use 
nonclassified  biological  research.  The  board’s  charter  also  includes  work  to  develop 
national  policies  to  communicate  and  publish  sensitive  research  results,  a  code  of 
conduct  for  life  sciences  researchers,  training  programs  and  materials  to  educate  the 
community  about  biosecurity,  and  strategies  to  foster  international  collaboration  to 
oversee  dual-use  life  sciences  research.  NIH  aims  to  use  the  committee’s  guidance 
to  develop  policies  to  require  performer  institutions  that  it  funds  to  use  Institutional 
Biosafety  Committees  (IBC),  to  educate  researchers,  to  issue  guidance,  and  to  review 
and  advise  on  specific  experiments  that  might  be  misused  or  pose  a  threat  to  the 
public  health  or  national  security.  Policy  guidance  will  flow  from  the  federal  board 
to  the  institutional  committees  if  there  is  uncertainty  or  disagreement  regarding  denial 
of  an  experiment.  The  NSABB  met  several  times  in  2005  and  2006;  it  will  meet  next 
on  January  31  to  February  2,  2007. 

During  its  first  meeting,  the  board  established  five  working  groups  to  develop 
criteria  to  identify  dual-use  research;  criteria  to  communicate  results  of  dual-use 
research;  a  life  sciences  code  of  conduct;  international  perspectives  on  dual-use 
research;  and  guidance  on  chemical  synthesis  of  bacterial  and  viral  genomes.163 
Some  discussants  proposed  that  biologists  should  be  licensed  to  conduct  sensitive 
biological  research,  that  codes  of  conduct  would  need  to  be  certified,  and  that 
methods  of  assuring  compliance  among  research  institutions  would  need  to  be 


162  (...continued) 

7  CFR  Part  331  and  9  CFR  Part  121. 

163  Janet  Coleman,  “NSABB  Working  Groups  Will  Begin  Discussions  Soon...,”  Research 
Policy  Alert,  July  5,  2005. 
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developed.164  Some  contended  that  if  the  scientific  community  did  not  develop 
methods  of  monitoring  and  protecting  sensitive  research,  policy  makers  might 
develop  and  try  to  enforce  more  stringent  controls  that  ultimately  might  prove  to  be 
unacceptable.165 

During  the  July  2006  meeting,  NSABB  recommended  in  draft  guidelines 
released  for  public  comment  that  authors,  institutional  reviewers,  and  journal  editors 
conduct  a  risk-benefit  analysis  as  part  of  “formal  procedures  to  presecreen  the 
publication  of  findings  from... dual-use  projects”  that  might  be  useful  to  terrorists.166 

During  its  October  25,  2006  meeting,167  which  addressed  the  topic  of  synthetic 
biology,  among  other  things,  the  Board  adopted  draft  recommendations,  published 
for  comment,  that  the  government  “regulate  potentially  dangerous  gene  sequences 
instead  of  a  list  of  known  pathogens”  since  the  current  rules  for  select  agents  identify 
a  finite  list  of  organisms,  and  do  not  account  for  biological  entities  that  can  be 
synthetically  engineered.168  The  board  “...also  wants  the  government  to  require 
companies  to  screen  orders  for  synthetic  DNA  against  the  genomes  of  select  agents 
and  to  maintain  a  record  of  purchase  orders.  Neither  procedure  is  currently  mandated 
by  law.”169  Topics  for  subsequent  NSABB  meetings  include  developing  oversight 
plans  and  implementation  processes  for  these  guidelines  in  academia  and  in 
government.  It  is  likely  that  some  scientists  will  object  to  guidelines  requiring 
prepublication  review.170 

Views  on  Adequacy  of  Biosecurity  Protection  Policies.  Some  critics 
say  existing  biosecurity  protections  are  inadequate  to  prevent  terrorists  from 
obtaining  and  using  biological  information  and  suggest  that  stronger  measures  should 


164  “Rules  of  Engagement,”  Nature ,  July  7,  2005,  p.  2. 

165  Eugene  Russo,  “New  Biosecurity  Panel  Struggles  With  Role  in  Monitoring  Sensitive 
Research,”  Research  Policy  Alert,  July  5,  2005.  See  also  Jeffrey  Brainard,  “National 
Biosecurity  Board  Holds  First  Meeting,  Ponders  Limits  on  Research,”  Chronicle  of  Higher 
Education ,  July  1,  2005. 

166  Yudhijit  Bhattacharjee,  "Biosecurity:  U.S.  Panel  Calls  for  Extra  Review  of  Dual-Use 
Research,”  Science,  July  21,  2006,  p.  284.  The  draft  guidelines  are:  National  Science 
Advisory  Board  for  Biosecurity,  NSABB  Draft  Guidance  Documents,  July  2006, 
[http://www.biosecurityboard.gov/pdf/NSABB%20Draft%20Guidance%20Documents.pdf]. 
They  focus  on  I.  Criteria  for  Identifying  Dual  Use  Research  of  Concern,  11.  Tools  for  the 
Responsible  Communication  of  Research  with  Dual  Use  Potential,  III.  Considerations  in 
Developing  a  Code  of  Conduct  for  Dual  Use  Research  in  the  Life  Sciences. 

167  See,  [http://www.biosecurityboard.gov/meetings_archive_102506.asp]. 

168  Yudhijit  Bhattacharjee,  "Bioterrrorism  Agents:  U.S.  Panel  Wants  Security  Rules  Applied 
to  Genomes,  Not  Pathogens,”  Science,  Nov.  3, 2006,  p.  743.  The  draft  document  is  entitled, 
NSABB,  Addressing  Biosecurity  Concerns  Related  to  the  Synthesis  of  Select  Agents.  Draft 
Recommendations,  Prepared  by  the  Working  Group  in  Synthetic  Genomics,  18  p. 

169  Bhattacharjee,  July  21,  2006,  op.  cit. 

170  Bhattacharjee,  July  21,  2006,  op.  cit.  For  additional  information,  see  Oversight  of 
Dual-Use  Biological  Research:  The  National  Science  Advisory  Board  for  Biosecurity,  CRS 
Report  RL33342,  by  Dana  A.  Shea. 
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be  taken,  such  as  creation  of  a  network  that  interacts  closely  with  intelligence  and 
military  agencies  to  prevent  misuse  of  biological  information.171  Related  to  this,  a 
2006  National  Academies  report,  concerned  about  how  new  developments  in  the  life 
sciences  coupled  with  rapidly  advancing  fields  such  as  nanotechnology  and  materials 
science  could  prove  to  threatening,  endorsed  the  free  and  open  change  of  information 
in  the  life  sciences  to  the  maximum  extent  possible.  However,  it  also  recommended, 

•  creating  statutorily  an  independent  advisory  group  in  the  security 
community  to  strengthen  scientific  and  technical  expertise  within 
the  intelligence  and  security  communities; 

•  adopting  and  promoting  a  “common  culture  of  awareness  and  a 
shared  sense  of  responsibility  within  the  global  communities  of  life 
scientists,”  including  development  of  codes  of  ethics;  and 

•  establishing,  “...  a  decentralized,  globally  distributed  network  of 
informed  concerned  scientists  who  have  the  capacity  to  recognize 
when  knowledge  or  technology  is  being  used  inappropriately  or  with 
the  intent  to  cause  harm”172  and  whose  interventions  could  take  the 
form  of  counseling  or  “...  reporting  such  activity  to  national 
authorities  when  its  appears  potentially  malevolent  in  intent.”173 

Other  shortcomings  in  current  policy  have  been  identified.  For  instance,  the 
scope  of  the  DHHS’s  NSABB  board  has  been  faulted  because  it  does  not  extend  to 
privately  funded  research  nor  harmonize  international  standards.174  Others  criticize 
the  select  agent  rules  as  inadequate  and  say  federal  regulations  should  be  expanded 
to  prevent  unauthorized  persons  from  possessing  the  DNA  components  of  a  select 
agent.175  George  Church,  a  genetics  professor  at  Harvard,  reportedly  “is  organizing 
a  consortium  of  researchers  and  academics  to  push  the  federal  government  to  license 
anyone  interested  in  purchasing  DNA  segments  for  agents  of  bioterror.”176 
Similarly,  John  Steinbruner  and  colleagues  at  the  Center  for  International  and 
Security  Studies  at  Maryland  (CISSM),  in  a  2005  report,  advocated  mandatory 
licensure  of  researchers  and  institutions  that  conduct  biodefense  research.  Three 
levels  of  independent  review  —  at  the  institutional,  national,  and  international  level 
—  would  monitor  risks  and  benefits  of  research  proposals  and  would  issue  approval 
or  disapproval  for  conduct  of  researchers  and  publications.177 


171  Russo,  July  6,  2005,  op.  cit 

172  Globalization,  Biosecurity,  and  the  Future  of  the  Life  Sciences,  op.  cit.,  p.  8. 

173  Globalization,  Biosecurity,  and  the  Future  of  the  Life  Sciences ,  op.  cit.,  p.  9. 

174  Jennifer  Couzin,  “U.S.  Agencies  Unveil  Plan  for  Biosecurity  Peer  Review,”  Science, 
Mar.  12,  2004,  citing  Elisa  Harris  of  the  University  of  Maryland’s  Center  for  International 
and  Security  Studies. 

175  Caitlin  Harrington,  “Lab-Synthesized  Diseases  Open  a  New  Front  in  Bioterror  War,”  CQ 
Homeland  Security,  Aug.  2,  2004. 

176  Harrington,  op.  cit. 

177  Eugene  Russo,  “Biodefense  Research  Needs  Formal  Oversight  and  Licensure  -  University 
of  Maryland  Report,”  Research  Policy  Alert,  Feb.  22,  2006,  citing  John  Steinbruner,  et  al., 
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Nongovernmental  professional  groups  have  explored  the  use  of  codes  of 
conduct  or  self-policing  policies178  for  research  topics  and  publications.  Some 
publishers  adopted  a  set  of  voluntary,  risk-based  publishing  principles,  called 
“Statement  of  Scientific  Publication  and  Security,”  2003;  but  this,  reportedly,  has 
resulted  in  changes  in  only  very  few  articles  before  publication.179  In  June  2005,  the 
American  Society  for  Microbiology  drafted  a  code  of  ethics  for  its  members  and 
urged  them  to  report  to  “appropriate  authorities”  misuses  of  microbiology 
information.180  The  Interacademy  Panel  on  International  Issues,  consisting  of  most 
of  the  world’s  national  science  academies,  issued  a  set  of  principles  that  urged 
scientists  to  take  responsibility  to  prevent  misuse  of  their  work. 181  Two  researchers, 
Margaret  A.  Somerville  of  McGill  University  and  Ronald  M.  Atlas,  President  of  the 
American  Society  for  Microbiology,  proposed  an  international  code  of  ethics  to 
prevent  bioterrorism.182  Adherents  to  the  code  would  refuse  to  conduct  work  that 


177  (...continued) 

Controlling  Dangerous  Pathogens:  A  Prototype  Protective  Oversight  System,  University  of 
Maryland,  2005. 

178  For  a  representative  list  of  codes  of  ethics  developed  by  professional  groups,  see  online 
at  [http://www.biosecuritycodes.org/codes_archive.htm] . 

179  Reportedly,  the  statement  of  policy  was  adopted  by  science  journal  editors  and  released 
on  Feb.  15, 2003,  and  was  published  in  Science,  Nature,  and  the  Proceedings  of  the  National 
Academy  of  Sciences.  It  is  available  at  [http://www.fas.org/sgp/news/2003/02 
/sci02 1503.html].  For  additional  information,  see  CRS  Report  RL3 1695,  op.  cit.  It  has  been 
reported  that,  according  to  an  article  published  in  2003,  “...  the  American  Society  of 
Microbiology  (ASM)  flagged  two  out  of  fourteen  thousand  articles  as  unsuitable  for 
publication,  and  both  of  these  papers  were  likely  to  be  published  after  changes  were 
made.... (The  Unintended  Audience:  Balancing  Openness  and  Secrecy:  Crafting  an 
Information  Policy  for  the  21st  Century,  op.  cit.,  p.  39). 

180  Eugene  Russo,  “Biosecurity  Advisory  Board  Considers  Code  of  Ethics,”  Research  Policy 
Alert,  July  6,  2005. 

181  Shirley  Haley,  “Scientists  Must  Take  Responsibility  for  Preventing  Misuse  of  Their 
Work  —  Interacademy  Panel,”  Research  Policy  Alert,  Dec.  6, 2005.  The  document  is  “IAP 
Statement  on  Biosecurity,”  Nov.  7,  2005. 

182  Margaret  A.  Somerville  and  Ronald  M.  Atlas,  “Ethics:  A  Weapon  to  Counter 
Bioterrrorism,”  Science,  Mar.  25,  2005,  pp.  1881,  1882.  The  proposed  code  is:  “In  order  to 
prevent  the  life  sciences  from  becoming  the  death  sciences  through  bioterrorism  or 
biowarfare,  all  persons  and  institutions  engaged  in  all  aspects  of  the  life  sciences  must:  “1 . 
Work  to  ensure  that  their  discoveries  and  knowledge  first  do  no  harm:  I)  by  refusing  to 
engage  in  any  research  that  is  intended  to  facilitate,  or  there  is  a  high  probability  of  its  being 
used  to  facilitate  bioterrorism  or  biowarfare,  both  of  which  violate  the  fundamental  moral 
values  of  humanity;  and  ii)  by  complying  with  the  prohibition  of  the  Biological  Weapons 
Convention  to  never,  under  any  circumstances,  knowingly  or  recklessly  contribute  to  the 
development,  production  or  acquisition  of  microbial  or  other  biological  agents  or  toxins, 
whatever  their  origin  or  method  of  production,  of  types  or  in  quantities  that  cannot  be 
justified  on  the  basis  of  their  being  necessary  for  prophylactic,  protective,  therapeutic,  or 
other  peaceful  purposes.  2.  Work  for  the  ethical  and  beneficent  advancement,  development 
and  use  of  scientific  knowledge.  3.  Call  to  the  attention  of  the  public,  or  the  appropriate 
persons  or  bodies,  activities,  including  unethical  research,  that  there  are  reasonable  grounds 
to  believe  are  likely  to  contribute  to  bioterrorism  or  biowarfare.  4.  Take  reasonable  care  to 

(continued...) 


CRS-42 


could  be  used  in  bioterrorism  and  would  seek  to  restrict  access  of  those  they  believe 
could  use  information  maliciously. 

It  was  noted  above  in  the  section  on  “Nongovernmental  Experts’ 
Recommendations  To  Use  Risk  Analysis  To  Identify  and  Control  Sensitive 
Information,”  that  proposals  have  been  made  to  instill  in  researchers  a  culture  that 
discourages  research  that  could  be  used  malevolently,  that  professional  peer  reviews 
should  be  conducted  before  publication  of  work  that  should  be  protected,  and  that  the 
federal  government  should  define  policy  controls  for  these  activities.  In  addition,  J. 
Gaudioso  and  R.  M.  Salerno  proposed  a  biosecurity  risk  assessment  process  that 
would  restrict  the  use  of  agents  that  have  the  potential  to  be  weaponized  and  that 
could  serve  as  the  basis  for  international  standards.  This  process  would  involve  using 

four  Biosecurity  levels:  low,  moderate,  high,  and  extreme  risk.  The 
overwhelming  majority  of  pathogens  and  toxins  would  fall  into  the  low -risk 
category  (requiring  practices  such  as  locking  unattended  laboratories  and 
maintenance  of  documentation  of  agents  used),  and  most  select  agents  would  be 
placed  in  the  moderate -risk  category  (requiring  additional  safeguards  such  as 
access  controls  and  personnel  checks).  The  security  measures  for  low-and 
moderate -risk  categories  should  pose  reasonable  costs  and  largely  rely  on 
existing  biosafety  measures.  Very  few  agents  would  be  designated  high  risk 
(requiring  more  stringent  security  measures  and  a  dedicated  Biosecurity  officer). 
Perhaps  only  variola  major,  because  it  is  no  longer  found  in  nature  would  be 
considered  an  extreme  risk,  requiring  the  most  stringent  protections  (such  as 
comprehensive  background  investigations  and  an  on-site  guard  force).  Higher 
security  than  that  currently  mandated  by  federal  regulations  would  only  be 
applied  for  those  very  few  agents  that  represent  true  weapon  threats.  Biosecurity 
levels  should  be  developed  and  vetted  by  experts  in  biological  weapons, 
microbiology,  security,  and  public  and  agricultural  health.  This  would  help 
federal  agencies  apply  uniform  criteria  to  grantees  and  could  form  the  basis  for 
standardizing  biosecurity  internationally.183 


182  (...continued) 

assure  biosecurity  by  seeking  to  allow  access  to  biological  agents  that  could  be  used  as 
biological  weapons  only  to  individuals  who  there  are  reasonable  grounds  to  believe  will  not 
misuse  them.  5.  Seek  to  restrict  the  dissemination  of  dual-use  information  and  knowledge 
to  those  who  need  to  know  in  cases  where  there  are  reasonable  grounds  to  believe  that  there 
are  serious  risks  that  information  or  knowledge  could  be  readily  misused  to  inflict  serious 
harm  through  bioterrorism  or  biowarfare.  6.  Subject  research  activities  to  ethics  and  safety 
reviews  and  monitoring  to  establish  their  ethical  acceptability:  I)  to  ensure  that  legitimate 
benefits  are  being  sought  and  that  they  outweigh  the  risks  and  harms;  and  ii)  if  human  or 
animal  subjects  are  involved,  to  ensure  that  such  involvement  is  ethical  and  essential  for 
carrying  out  highly  important  research.  7.  Abide  by  laws  and  regulations  that  apply  to  the 
conduct  of  science  unless  to  do  so  would  be  unethical,  and  recognize  a  responsibility  to 
work  through  relevant  societal  institutions  to  change  those  laws  and  regulations  that  are  in 
conflict  with  ethics.  8.  Recognize  all  persons’  rights  of  conscientious  objection  to 
participation  in  research  that  they  consider  ethically  or  morally  objectionable  and  to  refuse 
to  participate  without  penalty.  9.  Faithfully  transmit  the  duties  and  obligations  embodied 
in  this  code,  and  the  ethical  principles  upon  which  it  is  based  to  all  who  are,  or  may  become, 
engaged  in  the  conduct  of  science.” 

183  Jennifer  Gaudioso  and  Reynolds  M.  Salerno,  “Biosecurity  and  Research:  Minimizing 
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Brian  J.  Gorman  proposed  a  risk-based  alternative  approach  for  prepublication 
peer  review.  He  called  for  a  risk-based  process  called  “Due  Process  Vetting  System” 
(DPVS)  together  with  a  Risk  Assessment  Scale  [RAS]  and  a  Least  Restrictive 
Classification  System  for  the  communication,  assessment,  and  disposition  of 
sensitive  life  science  research  in  a  manner  consistent  with  national  security 
interests.”184  The  process  would  be  overseen  by  a  new  agency  called  the  Biologic 
Regulatory  Commission,  modeled  after  the  Nuclear  Regulatory  Commission.  The 
vetting  process  would  be  triggered  at  the  request  of  an  author  or  peer  reviewer  if  an 
article  attained  a  predetermined  score  on  the  RAS  set  by  the  BRC.  “The  RAS  surveys 
opinions  of  informed  reviewers  including  the  author  of  the  article,  the  author’s 
Institutional  Review  Board  or  Institutional  Biosafety  Committee  (IBC),  and  finally 
the  journal  interested  in  publishing  the  article.”185  The  DPVS  would  safeguard  high- 
risk  articles  by  providing  the  government  with  a  mechanism  to  identify  “potentially 
dangerous  articles  before  they  reach  the  presses,”186  would  avoid  the  “deleterious 
effects  of  censorship,”187  and  would  make  articles  available  only  to  a  “select 
academy  of  biodefense  researchers  after  the  authors,  the  publishing  journal  and 
others,  reach  a  consensus  with  the  government  through  cooperative  vetting  of  the 
article  in  question.”188  Gorman  proposed  expanding  the  academy  to  a  qualified  body 
of  world  scientists,  an  approach  he  said  is  superior  to  the  ASM  model  and  ad  hoc 
approaches  undertaken  by  the  majority  of  U.S.  biosciences  journals.189 

Some  scientists  disagree  with  the  types  of  aforementioned  restrictions.  Existing 
controls  on  “select  agents,”  reportedly,  have  caused  “  ...  many  researchers  ...  to 
discontinue  or  not  pursue  research  on  regulated  biological  agents,  rather  than 
implement  the  new  security  regulations  and  bear  the  associated  financial  burden. 
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Adverse  Impacts,”  Science,  Apr.  30,  2004,  citing  J.  Gaudioso  and  R.  M.  Salerno,  “A 
Conceptual  Framework  for  Biosecurity  Levels,”  BTR  2004:  Unified  Science  and  Technology 
for  Reducing  Biological  Threats  and  Countering  Terrorism  —  Proceedings,  Albuquerque, 
NM,  March  18-19,  2004. 

184  Brian  J.  Gorman,  “Balancing  National  Security  and  Open  Science:  A  Proposal  for  Due 
Process  Vetting,”  Yale  Journal  of  Law  and  Technology,  2005,  pp.  2,  15. 

185  Gorman,  op.  cit.,  pp.  28-29.  The  proposed  survey  would  use  a  five -level  scaling  technique 
that  would  generate  a  risk  score.  The  survey  would  “...address  the  degree  to  which  the 
prospective  article  presents  danger  to  human  life,  livestock,  and  agriculture  on  several  axes.” 
Survey  questions  would  focus  on  whether  the  paper  would  present  a  risk  to  society,  render 
a  vaccine  ineffective,  contribute  to  increasing  resistance  to  antibiotic  or  antiviral  agents,  lead 
to  increased  virulence  of  a  pathogen,  increased  transmissability  of  a  pathogen,  alter  the  host 
range  of  a  pathogen,  permit  evasion  of  diagnosis  or  detection,  or  contribute  to  weaponization 
of  a  biological  agent  (Gorman,  pp.  33-34).  It  would  also  assess  the  potential  for  a 
“malevolent  actor”  to  “use  the  science  in  question,”  the  extent  of  damage  from  misuse,  and 
the  potential  for  publication  of  the  material  to  promote  “conversion  of  benign”  already 
published  articles  to  more  sensitive  status  (Gorman,  pp.  35-37). 

186  Gorman,  op.  cit.,  pp.  21-22 

187  Gorman,  op.  cit.,  p.  21. 

188  Gorman,  op.  cit.,  p.  21. 

189  Gorman,  op.  cit.,  pp.23,  43. 
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Reportedly,  the  CDC  expected  817  entities  to  register  under  the  new  select  agent  rule. 
Instead,  only  323  facilities  are  registered  with  the  CDC,  which  indicated  that  many 
institutions  have  discontinued  their  work  with  select  agents.”190  There  are  also 
complaints  that  U.S.  “select  agent”  rules  can  hinder  cooperation  from  foreign 
scientists  who  cannot  afford  security  controls  and  that  many  foreign  laboratories  do 
not  meet  the  standards  for  conducting  such  research  demanded  by  the  U.S. 
government.  As  a  result,  foreign  partners,  some  charge,  may  be  forced  to  become 
“mere  sample  exporters,”  and  criminal  sanctions  might  be  applied  to  the  U.S.  partner 
in  a  foreign  collaboration  if  the  foreigner  partner’s  laboratory  does  not  meet  U.S. 
research  security  standards.191  Complaints  about  the  CDC’s  “information  security” 
manual  have  led  to  concern  by  influenza  researchers  that  the  CDC  is  not  releasing 
databases  of  virus  sequences  and  other  data  needed  to  develop  flu  vaccines,  thereby 
potentially  damaging  the  development  of  public  health  protections.192 

In  addition,  at  the  first  NSABB  meeting,  some  members  suggested  that  instead 
of  formal  restrictions,  ethics  education  for  researchers  would  suffice  to  deal  with 
potential  problems. 193  Others  suggest  that  controls  on  biological  research  information 
could  constrain  the  exchange  of  information  needed  to  develop  effective  defenses 
against  dangerous  pathogens.194  A  National  Academies  report,  Seeking  Security; 
Pathogens,  Open  Access  and  Genomic  Data  Bases,  published  in  2004,  that  had  been 
requested  by  the  National  Science  Foundation  and  the  Central  Intelligence  Agency, 
concluded  that  there  should  be  no  change  in  current  policies  that  allow  scientists  and 
the  public  unrestricted  access  to  genome  data  on  microbial  pathogens.  Access,  it 
concluded,  improves  the  nation’s  ability  to  fight  both  bioterrorism  and  naturally 
occurring  infectious  diseases.195  Open  access  to  raw  sequence  data  is  unlikely  to  help 
bioterrorists  develop  weapons,  and  preventing  distribution  of  such  information  could 
hurt  research  to  prevent  bioterrorism  and  emerging  diseases  such  as  severe  acute 
respiratory  syndrome  (SARS).  Genomic  information  about  most  dangerous 
pathogens  is  already  available,  it  said,  and  if  the  government  wants  to  restrict 
distribution  of  information  in  the  future,  such  information  should  be  classified.  The 
report  concluded  that  security  against  bioterrorism  would  be  achieved  best  by 
policies  that  facilitate,  not  limit,  the  free  flow  of  this  information.  In  May  2005,  the 
DHHS  attempted  to  prevent  the  National  Academy  of  Sciences  from  publishing  an 
article  in  the  Proceedings  of  the  Nationcd  Academy  of  Sciences  on  how  the  U.S.  milk 
supply  could  be  tainted  with  botulism  and  control  measures  to  prevent  it.  The 


190  See  Gaudioso  and  Salerno,  “Biosecurity  and  Research:  Minimizing  Adverse  Impacts,” 
Science,  Apr.  30,  2004,  op.  cit.  See  also  CRS  Report  RL31719.  op.  cit. 

191  Richard  Stone,  “Select  Agents:  Heightened  Security  or  Neocolonial  Science?,”  Science, 
Dec,.  24,  2004. 

192  Rebecca  Carr,  “CDC  Locks  Up  Flu  Data,”  The  Atlanta  Journal-Constitution,  Oct.  3, 
2005. 

193  “Rules  of  Engagement,”  op.  cit. 

194  Laura  Donohue  (fellow  at  the  Center  for  International  Security  and  Co-operation), 
“Censoring  Science  Won’t  Make  Us  Any  Safer,  The  Washington  Post,  June  26, 2005,  p.  B05 

195  The  report  is  Seeking  Security:  Pathogens,  Open  Access,  and  Genome  Databases.  Cited 
in  David  Malakoff,  “Report  Upholds  Public  Access  to  Genetic  Codes,”  Science,  Sept.  17, 
2004. 
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Academy  published  it  on  the  grounds  that  the  benefits  of  publishing  the  paper  giving 
biodefense  guidance  outweighed  any  threats.196 

Other  nations  and  international  scientific  groups  have  addressed  this  issue.  For 
instance,  reportedly  a  December  13,  2004  paper  issued  jointly  by  the  United 
Kingdom’s  Royal  Society  and  the  Wellcome  Trust  urged  caution  on  government 
intervention.  The  joint  paper  said  “government  should  ask  scientific  societies  and 
funding  institutions  to  take  more  responsibility  for  vetting  and  preventing  the 
dissemination  of  risky  technical  details.  The  paper  suggested  that  grant  review  forms 
could  include  a  check  box  for  bioterror  issues  to  ensure  that  they  are  considered.”197 
Also,  at  a  meeting  in  June  2005  in  Geneva,  life  scientists  from  several  countries 
sought  to  develop  a  code  of  conduct.  Biosafety  in  life  sciences  research  was  also  a 
topic  of  discussion  at  an  Organization  for  Economic  Cooperation  and  Development 
(OECD)  International  “futures”  program  meeting  in  September  2004,  and  the 
National  Academies  held  an  International  Forum  on  Biosecurity  in  Como,  in  March 
2005  to  discuss  convergence  on  codes  of  conduct  and  oversight  of  biosecurity 
research.198 

Issues  Dealing  with  Geospatial  Information 

There  is  considerable  controversy  about  providing  access  to  certain  types  of 
geospatial  information,  including  satellite  imagery  and  maps  depicting  ordinary 
geographic  features,  buildings,  sensitive  facilities,  hazardous  materials  storage 
facilities,  and  so  forth. 

Supporting  more  open  access  to  such  information,  in  March  2004,  the  RAND 
Corporation  released  a  study  recommending  that  the  federal  government  should  not 
remove  geospatial  information  such  as  maps  and  imagery  from  public  availability 
because  much  of  it  is  not  current  enough  to  meet  terrorists’  needs,  terrorists  can 
obtain  such  information  from  other  sources,  and  the  public  benefits  from  access  to 
much  federal  geospatial  information.  Instead,  it  recommended  that  the  federal 
government  develop  an  analytical  process  to  assess  the  potential  homeland  security 
sensitivity  of  specific  publicly  available  geospatial  information  using  three  filters: 
usefulness,  uniqueness,  and  societal  benefits  and  costs.199  Subsequently,  in  June 
2005,  the  Homeland  Security  Group  of  the  Federal  Geographic  Data  Committee,  an 
18-member  federal  interagency  group  that  coordinates  geospatial  data,  issued  for 


196  Kelly  Field,  “Federal  Officials  Ask  National  Academy  of  Sciences  Not  to  Publish  Paper 
on  Bioterrorism,”  Chronicle  of  Higher  Education,  June  6,  2005;  Richard  Monastersky  and 
David  Glenn,  “National  Academy  of  Sciences  Publishes  Paper  that  U.S.  Calls  ‘Road  Map 
for  Terrorists,”’  Chronicle  of  Higher  Education,  July  8,  2005. 

197  Eliot  Marshall,  “Biodefense:  Experts  Warn  Against  Censoring  Basic  Science,”  Science, 
Dec.  17,  2004. 

198  Janet  Coleman,  “Dual  Use  International  Dialogue  Hampered  by  Lack  of  Recognition  of 
Biosecurity  Risk,”  Research  Policy  Alert,  July  11,  2005. 

199  John  C.  Baker,  et  al.,  Mapping  the  Risks:  Assessing  the  Homeland  Security  Implications 
of  Publicly  Available  Geospatial  Information,  Prepared  for  the  National  Geospatial- 
Intelligence  Agency,  RAND  National  Defense  Research  Institute,  2004,  pp.  xvii-xxxiv. 
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consideration  interim200  and  then  final  guidelines  for  public,  private,  and  nonprofit 
organizations  that  originate  and  publicly  disseminate  geospatial  data.201  The 
guidelines  seek  to  balance  “security  risks  and  the  benefits  of  geospatial  data 
dissemination”  and  suggest  how  organizations  can  use  risk-based  procedures  to 
provide  access  to  data  while  protecting  sensitive  information.  The  group  observed 
that  safeguarding  is  justified  only  for  data  that  contain  sensitive  information  that  is 
difficult  to  observe  and  not  available  from  open  sources,  that  are  the  unique  source 
of  the  sensitive  information,  and  for  which  the  security  risk  outweighs  the  societal 
benefit  of  dissemination.  Two  options  were  offered  to  handle  sensitive  data  before 
public  release  —  changing  it  to  remove  or  modify  the  sensitive  information  by 
summarizing  it,  blurring  details,  and  so  forth;  or  restricting  the  data  but  maintaining 
it  in  original  form  and  making  it  available  to  those  who  need  it,  such  as  first 
responders.202 

Congressional  action  in  2004  tightened  controls  on  some  geospatial  information. 
Section  914  of  P.L.  108-375,  the  Defense  Authorization  Act  FY2005,  signed  on 
October  28,  2004,  authorized  a  new  FOIA  exemption  three  category  permitting  the 
withholding  from  public  disclosure  of  land  remote  sensing  information  prohibited 
from  sale  to  nongovernment  or  government- approved  customers  for  reasons  of 
national  security  and  under  license  as  described  by  the  Land  Remote  Sensing  Policy 
Act  of  1992,  (15  U.S.C.  Section  5601  et  seq.).  Such  information  may  not  be 
exempted  from  disclosure  to  Congress;  information  disclosed  to  state  or  local 
government  may  not  be  made  available  to  the  public;  and  agencies  are  required  to 
protect  such  information  from  disclosure.  On  November  18,  2004,  the  DOD’s 
National  Geospatial  Intelligence  Agency  (NGA)  announced  that  for  security  reasons, 
as  well  as  for  reasons  of  potential  intellectual  property  rights  violations  for 
information  gathered  commercially  in  other  countries,  it  would  “...  remove  its  Flight 
Information  Publications  (FLIP),  Digital  Aeronautical  Flight  Information  File 
(DAFIF),  and  related  aeronautical  safety  of  navigation  digital  and  hardcopy 
publications  from  public  sale  and  distribution.”203  After  the  review  of  comments  was 


200  “Guidelines  for  Providing  Appropriate  Access  to  Geospatial  Data  in  Response  to  Security 

Concern,”  Sept.  7,  2004,  available  at  [http://www.fgdc.gov/policyandplanning 

/Access%20Guidelines.pdf] . 

201  U.S.  Geological  Survey,  Federal  Geographic  Data  Committee,  Final  Guidelines  for 
Providing  Appropriate  Access  to  Geospatial  Data  in  Response  to  Security  Concerns,  June 
2005.  Available  at  [http://www.fgdc.gov]. 

202  Final  Guidelines  for  Providing  Appropriate  Access  to  Geospatial  Data  in  Response  to 
Security  Concerns,  op.  cit.,  pp.  1-2. 

203  The  agency’ s  notice  of  rulemaking  said  it  sought  to  accomplish  the  following  objectives: 
“safeguarding  the  integrity  of  Department  of  Defense  (DOD)  aeronautical  navigation  data 
currently  available  on  the  public  Internet;  preventing  unfettered  access  to  air  facility  data 
by  those  intending  harm  to  the  United  States,  its  interests  or  allies;  upholding  terms  of 
bi-lateral  geospatial  data-sharing  agreements;  avoiding  competition  with  commercial 
interests;  and  avoiding  intellectual  property/copyright  disputes  with  foreign  agencies  that 
provide  host-nation  aeronautical  data”  (National  Geospatial-Intelligence  Agency  (NGA), 
Department  of  Defense,  “Modification  to  Announcement  of  Intent  To  Initiate  the  Process 
To  Remove  Aeronautical  Information  From  Public  Sale  and  Distribution,”  Federal  Register, 
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completed  in  November  2005, 204  the  agency  implemented  its  plan.  However,  its 
rationale  for  removal  of  information  focused  exclusively  on  the  intellectual  property 
rights  issue,  not  the  security  dimensions.205 

In  contrast  to  restraining  information,  legislation  has  been  introduced  to  expand 
use  and  applications  of  federal  remote  sensing  data.  During  the  109th  Congress,  H.R. 
426,  “Remote  Sensing  Applications  Act  of  2005,”  reported  favorably  on  June  27, 
2005  (H.Rept.  109-157),  would,  among  other  things,  direct  the  Administrator  of  the 
National  Aeronautics  and  Space  Administration  (NASA)  to  establish  a  program  of 
grants  for  pilot  projects  to  explore  the  integrated  use  of  sources  of  remote  sensing  and 
other  geospatial  information  to  address  state,  local,  regional,  and  tribal  agency  needs. 
It  requires  the  Administrator,  when  awarding  grants,  to  give  preference  to  specified 
types  of  projects.  The  bill  did  not  contain  language  constraining  use  of  data.  No 
further  action  occurred. 


The  Department  of  Homeland  Security’s  SBU 

Directives 

The  DHS  issued  an  internal  management  directive  (MD  11042)  on 
“Safeguarding  Sensitive  But  Unclassified  (For  Official  Use  Only)  Information  ”  on 
May  11,  2004,  to  safeguard  SBU  information  within  DHS.  Such  information  would 
be  labeled  For  Official  Use  Only  (FOUO)206  and  would  be  defined  “to  identify 
unclassified  information  of  a  sensitive  nature,  not  otherwise  categorized  by  statute 
or  regulation  the  unauthorized  disclosure  of  which  could  adversely  impact  a  person’ s 
privacy  or  welfare,  the  conduct  of  Federal  programs,  or  other  programs  or  operations 
essential  to  the  national  interest.”  Portions  of  the  memorandum  generated 
considerable  opposition  because  of  its  mandatory  and  punitive  employee  and 
contractor  nondisclosure  requirements.  In  January  2005,  the  controversial 
requirements  were  replaced  with  requirements  to  educate  employees  in  security 
practices,  and  the  document  was  reissued  as  MD  11042.1. 207  Contractors  are  still 


203  (...continued) 

Dec.  17,  2004,  vol.  69,  no  242,  pp.  75517-75518). 

204  See  the  release  at  [http://www.nga.mil/NGASiteContent/StaticFiles/OCR/nga0509.pdf]. 

205  “The  National  Geospatial-Intelligence  Agency  To  Go  Forward  with  Proposal  to  Remove 
Aeronautical  Data  from  Public  Access  Release,”  NGA  press  release  no.  05-17,  Nov.  29, 
2005,  [http://www.fas.Org/sgp/news/2005/l  1/ngal  12905.html]. 

206  DHS,  Safeguarding  Sensitive  But  Unclassified  ( For  Official  Use  Only)  Information, 
MD  11042,  May  11,  2004,  available  at  http://www.dhs.gov/interweb/assetlibrary 
/Mgmt_NEPA_MD  1 1042SensUnclass.pdf). 

2(17  In  Aug.  2004,  DHS  promulgated  requirements  for  its  employees  and  contractors  to  sign 
a  nondisclosure  agreement  to  handle  and  protect  PCII,  SSI  and  other  “other  SBU” 
nonclassified  information.  Among  its  provisions,  it  stated  that  penalties  for  violation  could 
include  “administrative,  disciplinary,  civil,  or  criminal  action,”  and  that  signing  the 
nondisclosure  agreement  also  allows  the  government  “to  conduct  inspections,  at  any  time 
or  place,  for  the  purpose  of  ensuring  compliance”  (DHS  Non-disclosure  Agreement,  DHS 
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required  to  sign  nondisclosure  agreements,  and  DHS  employees  and  contractors  are 
still  subject  to  administrative  or  disciplinary  action  for  violating  the  policies.208 

The  directive  identified  several  types  of  control  labels  that  could  be  SBU, 
including  FOUO,  CII,  and  SSI  and  so  forth  and  11  types  of  sensitive  unclassified 
information  that  can  be  designated  for  official  use  only  (FOUO)  —  a  type  of  SBU  — 
by  any  DHS  employee,  consultant,  or  contractor.  The  list  includes  one  clearly 
identifiable  technology-related  item,  which  conceivably  might  include  the  results  of 
DHS-sponsored  or  conducted  scientific  research  and  development: 

(k)  Developing  or  current  technology,  the  release  of  which  could  hinder  the 
objectives  of  DHS,  compromise  a  technological  advantage  or  countermeasure, 
cause  a  denial  of  service,  or  provide  an  adversary  with  sufficient  information  to 
clone,  counterfeit,  or  circumvent  a  process  or  system.209 


207  (...continued) 

Form  1 1000-6  (08-04).  Some  federal  employee  unions  criticized  the  requirement  saying  that 
it  duplicated  regulations  that  protect  certain  types  of  information,  (“Homeland  Security,” 
Washington  Post ,  editorial,  Dec.  3,  2004,  p.  A26),  that  it  imposed  criminal  prosecution  for 
disclosing  information  that  is  to  be  made  available  under  FOIA,  that  it  infringed  on  of  free- 
speech  rights  (Eileen  Sullivan,  “Searchers  and  Gag  Orders:  Homeland  Security’s 
Unprecedented  Campaign  Cloaks  Unclassified  Info,”  FederalTimes.com,  Dec.  6, 2004),  and 
that  it  would  allow  “...  officials  to  suppress  and  cover  up  evidence  of  their  own  misconduct 
or  malfeasance  by  stamping  documents  ‘for  official  use  only.. ..’’’Sullivan,  op.  cit.)  It  was 
reported  that  congressional  staffers  had  been  asked,  and  refused,  to  sign  such  statements  on 
the  grounds  that  they  need  to  oversee  the  agency  (Chris  Strohm,  “Homeland  Security 
Reverses  Secrecy  Policy  But  Protests  Persist,”  Gov  Exec.com,  Jan.  12,  2005). 

208  Regulations  for  DHS  contractors  to  sign  nondisclosure  agreements  for  access  to  sensitive 
but  unclassified  information  appear  in  DHS’s  Supplement  to  the  Federal  Acquisition 
Regulation  (FAR),  sec.  3037.103-71,  “Conditional  Access  to  Sensitive  But  Unclassified 
Information.”  It  was  reported  that  DHS  required  participants  in  an  unclassified  workshop 
it  sponsored  at  Booz  Allen  Hamilton  on  “Anticipating  the  Unanticipated,”  “to  consider 
novel  weapons  and  tactics  that  might  be  employed  by  terrorists,”  to  sign  a  nondisclosure 
agreement  (Steven  Aftergood,  “More  Non-disclosure  Agreements  for  Unclassified  Info,” 
Secrecy  News,  Dec.  1 , 2004).  See  also  Chris  Strohm,  “Homeland  Security  Reverses  Secrecy 
Policy  But  Protests  Persist,”  Gov  Exec.com,  Jan.  12,  2005;  “Homeland  Security  Officials 
End  Workers’  Pledge  of  Secrecy,”  Technology  Daily,  AM  Edition,  Jan.  13,  2005; 
“Homeland  Security,”  Washington  Post,  editorial,  Dec.  3,  2004,  p.  A26. 

209  The  other  items  in  the  list  are  (a)  information  of  the  type  that  may  be  exempt  from 
disclosure  per  5  U.S.C.  552,  Freedom  of  Information  Act,  and  its  amendments;  (b) 
information  exempt  from  disclosure  per  5  U.S.C.  552a,  Privacy  Act;  (c)  information  within 
the  international  and  domestic  banking  and  financial  communities  protected  by  statute, 
treaty,  or  other  agreements;  (d)  other  international  and  domestic  information  protected  by 
statute,  treaty,  regulation  or  other  agreements;  (e)  information  that  could  be  sold  for  profit; 
(f)  information  that  could  result  in  physical  risk  to  personnel;  (g)  DHS  information 
technology  (IT)  internal  systems  data  revealing  infrastructure;  (h)  systems  security  data 
revealing  the  security  posture  of  the  system;  (I)  reviews  or  reports  illustrating  or  disclosing 
facility  infrastructure  or  security  vulnerabilities;  and  (j)  information  that  could  constitute  an 
indicator  of  U.S.  government  intentions,  capabilities,  operations,  or  activities  or  otherwise 
threaten  operations  security  (MD  11042  Issue  Date:  5/11/2004,  Revised  as  MD  10042.1, 
Jan.  2005,  op.  cit.,  available  at  [http://www.fas.org/sgp/othergov/dhs-sbu-rev.pdf]). 
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P.L.  107-296  specified  that,  if  “practicable,”  DHS’s  research  is  to  be 
unclassified,  but  the  Presidential  signing  statement  may  have  mitigated  this 
provision.210  It  remains  to  be  seen  how  this  SBU  regulation  will  affect  information 
generated  by  DHS-funded  research  and  development  grants  and  contracts,  and  what 
the  response  will  be  of  universities  that  conduct  research  for  DHS  under  its  academic 
centers  of  excellence  programs. 

Access  to  the  information  covered  by  the  DHS  SBU  directive  is  on  a  “need-to- 
know”  basis,  and  information  can  be  shared  with  cleared  homeland  security 
personnel  at  state  and  local  levels.  The  directive  said  the  use  of  the  FOUO 
designation  did  not  automatically  exempt  information  from  disclosure  under  FOIA 
but  “[i]nformation  requested  by  the  public  under  a  FOIA  request  must  still  be 
reviewed  on  a  case-by-case  basis.”  The  information  would  retain  the  FOUO 
designation  until  the  originator  or  other  officials  determine  otherwise.  Procedures 
to  protect  and  disseminate  such  information  outside  of  DHS  were  spelled  out, 
including  requirements  for  secure  storage  and  suggestions  for  encrypted  Internet  and 
telephone  communications.  Some  other  agencies  also  require  employees  to  sign 
nondisclosure  agreements  in  order  to  protect  SBU  information.211  (See  below  in  the 
section  labeled  “Critique  of  Nondisclosure  Requirements.”) 


Contentious  Issues,  Together  With  Legislative 
Action  and  Other  Options 

The  need  to  balance  security  and  access  poses  a  dilemma  for  policymakers  that 
was  captured  in  the  text  of  a  joint  report  prepared  in  December  2004  by  the  Heritage 
Foundation  and  Center  for  Strategic  and  International  Studies.  The  report  noted  that 
“[I]t  is  necessary  to  strike  the  right  balances  in  sharing  information  with  or 
withholding  information  from  the  public.  Policies  that  are  either  overly  neglectful 
or  overzealous  ill  serve  efforts  to  enhance  homeland  security.”212  Some  critics 


210  Section  306(a)  of  P.L.  107-296  provides  that  “to  the  greatest  extent  practicable,  research 
conducted  or  supported  by  the  ...  DHS  shall  be  unclassified.”  However,  “President  Bush's 
signing  statement  ...  states  that  the  executive  branch  will  ‘construe  and  carry  out'  this 
section,  and  other  provisions  of  the  law,  including  those  addressing  information  analysis  and 
infrastructure  protection,  ‘in  a  manner  consistent  with  the  President’s  constitutional  and 
statutory  authorities  to  control  access  to  and  protect  classified  information,  intelligence 
sources  and  methods,  sensitive  law  enforcement  information,  and  information  the  disclosure 
of  which  could  otherwise  harm  the  foreign  relations  or  national  security  of  the  United 
States.’”  From  [http://www.whitehouse.gOv/news/releases/2002/l  l/print/20021 125- 
10.html],  as]  cited  in  U.S.  Library  of  Congress,  Federal  Research  Division,  Laws  and 
Regulations  Governing  the  Protection  of  Sensitive  But  Unclassified  Information.  A  Report 
Prepared ...  Under  an  Interagency  Agreement  with  the  NASA  Office  of  Inspector  General. 
Project  Manager:  Alice  R.  Buchalter,  Sept.  2004,  p.  8. 

211  Eileen  Sullivan,  “Searches  and  Gag  Orders:  Homeland  Security’s  Unprecedented 
Campaign  Cloaks  Unclassified  Info,”  Federal  Times,  Dec.  6,  2004,  “Homeland  Secrecy,” 
Washington  Post,  Dec.  3,  2004,  p.  A26. 

212  James  Jay  Carafano  and  David  Heyman,  DHS  2.0:  Rethinking  the  Department  of 
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contend  that  many  government-instituted  controls  on  sensitive  information,  or  on 
scientific  and  technical  information,  may  be  unwarranted.  For  instance,  OMB  Watch, 
an  interest  group  newsletter  that  advocates  more  access  to  information,  maintains  an 
inventory  and  website  that  lists  information  that  federal  and  state  agencies  have 
removed  from  public  access  for  security  reasons.213  In  March  2005,  Steven 
Aftergood,  the  editor  of  Secrecy  News,  published  online  by  the  Federation  of 
American  Scientists,  catalogued  information  deleted,  sometimes,  he  contends, 
inappropriately,  from  government  files  or  to  which  public  access  has  been  denied. 
This  information  includes  unclassified  technical  reports  from  the  Los  Alamos 
National  Laboratory,  30-  to  50-year  old  historical  records  at  the  National  Archives, 
orbits  of  Earth  satellites,  aeronautical  maps,  and  data  previously  available  from  the 
National  Geospatial  Intelligence  Agency.214 

Some  of  the  critiques  of  information  control  policies  in  specific  scientific  and 
technical  arenas  have  already  been  described  in  this  report.  In  addition,  a  number  of 
criticisms  have  been  made  that  cut  across  sensitive  information  controls  broadly  and 
may  influence  decisions  about  balancing  security  and  access  to  sensitive  unclassified 
information.  These  criticisms,  which  are  discussed  next,  focus  on  allegations  that 
some  controls  can  exacerbate  vulnerability  or  stifle  scientific  research  and 
technological  innovation;  vagaries  in  nondisclosure  requirements;  the  relationship  of 
SBU  to  FOIA;  inconsistency  in  agencies’  definitions  of  and  processes  to  identify 
SBU  information;  developing  a  standard  definition  of  SBU  information;  monitoring 
agency  use  of  risk-based  standards  for  SBU;  and  recommendations  for  better 
governance  of  SBU  information  procedures.  These  sections  also  identify  legislation 
that  has  been  introduced  and  action  Congress  has  taken  on  some  of  these  issues. 

Allegations  That  Some  Controls  Can  Exacerbate  Vulnerability 
and  Stifle  Scientific  Research  and  Technological  Innovation 

Sensitive  information  controls  may  protect  vulnerable  buildings  and  public 
services  from  terrorist  threats,  but  some  critics  allege  that  preventing  access  to  such 
information  can  exacerbate  vulnerabilities  and  stifle  the  development  of  innovations 
to  enhance  protection.  According  to  one  critic, 

A  large  sign  in  New  York  City,  indicating  the  location  of  a  natural  pipeline  was 
taken  down  after  a  website  posted  a  photograph  of  the  sign....  Although  federal 
regulations  require  that  the  location  of  natural  gas  lines  be  made  as  obvious  as 
possible  to  the  public  for  safety  reasons,  the  company  that  owns  the  pipeline 
asserted  that  local  laws  allowed  the  sign’s  removal.  ...  The  regulations  requiring 
that  natural  gas  pipelines  be  clearly  marked  were  established  to  prevent 
accidental  rupture  that  often  causes  injuries  an  deaths  to  residents,  contractors, 


212  (...continued) 

Homeland  Security,  Heritage  Foundation  Special  Report  SR-02,  Dec.  13,  2004,  pp.  20-21. 

213  Available  at  [http://www.ombwatch.Org/article/articleview/213#agency], 

214  Steven  Aftergood,  “The  Age  of  Missing  Information,”  Mar.  17,  2005,  available  at 
[http://slate.msn.com/id/21 14963/]. 
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and  energy  responders.  Ironically,  removing  such  information  puts  the  public  in 

greater  danger  of  lethal  accidents.215 

Some  say  that  protections  on  information  access  and  dissemination  are 
especially  burdensome  to  scientific  research  and  academic  research  and  that  the 
scientific  community’s  potential  to  generate  knowledge  and  innovations  to  assist  in 
combating  terrorism  could  be  compromised  by  overzealous  information  security 
controls.  For  instance,  “[terrorists  will  obtain  knowledge,”  one  critic  emphasized.216 
“Our  best  option  is  to  blunt  their  efforts  to  exploit  it.  Keeping  scientists  from  sharing 
information  damages  our  ability  to  respond  to  terrorism  and  to  natural  disease,  which 
is  more  likely  and  just  as  devastating.  Our  best  hope  to  head  off  both  threats  may 
well  be  to  stay  one  step  ahead.”217 

On  October  18,  2002,  the  three  presidents  of  the  National  Academies  issued  a 
statement  that  sought  to  balance  security  and  openness  in  disseminating  scientific 
information.  It  summarized  the  policy  dilemma  by  saying  that  “restrictions  are 
clearly  needed  to  safeguard  strategic  secrets;  but  openness  also  is  needed  to 
accelerate  the  progress  of  technical  knowledge  and  enhance  the  nation’s 
understanding  of  potential  threats.”  The  statement  encouraged  the  government  to 
reiterate  government  policy  that  basic  scientific  research  should  not  be  classified,  that 
nonclassified  research  reporting  should  not  be  restricted,  and  that  vague  and  poorly 
defined  categories  of  research  information,  such  as  sensitive  but  unclassified,  should 
not  be  used.  “The  inevitable  effect  is  to  stifle  scientific  creativity  and  to  weaken 
national  security.”  The  statement  outlined  “action  points”  for  both  government  and 
professional  societies  to  consider  when  developing  a  dialogue  about  procedures  to 
safeguard  scientific  and  technical  information  that  could  possibly  be  of  use  to 
potential  terrorists.  An  American  Civil  Liberties  Union  (ACLU)  report  addressing 
governmental  restrictions  on  science,  observed  that  “[t]he  ‘sensitive  but  unclassified’ 
and  equivalent  categories  that  effectively  bar  public  access  to  information  must  be 
eliminated.  All  information  should  either  be  properly  classified  or  unrestricted.”218 
Similarly,  the  American  Association  of  University  Professors  recommended,  “We 
should  resist  or  seek  to  repeal  efforts  to  regulate  unduly,  or  to  make  secret,  the  results 
of  lawful  research  projects  under  novel  uses  of  the  “sensitive  but  unclassified” 
rubric.”219  The  National  Academies  held  a  workshop  on  this  subject  early  in  2003, 
in  cooperation  with  the  Center  for  Strategic  and  International  Studies.  Subsequently, 
the  CSIS  and  the  Academies  established  a  “Roundtable  on  Scientific  Communication 
and  National  Security,”  a  working  group  composed  of  scientific  and  security  leaders 
that  will  hold  continuing  discussions  to  try  to  develop  a  workable  publications  policy. 
(For  additional  information,  see  the  aforementioned  CRS  Report  RL31845.)  The 
National  Academies  also  have  a  separate  Committee  on  Scientific  Communication 


215  “Security  Measures  Invoked  to  End  Safety  Measures,”  OMB  Watch,  Sept.  7,  2004. 

216  Donohue,  op.  cit.,  p.  B05. 

217  Donohue,  op.  cit.,  p.  B05. 

218  ACLU,  Science  Under  Siege,  op.  cit.,  p.  32. 

219  Academic  Freedom  and  National  Security  in  a  Time  of  Crisis,  American  Association  of 
University  Professors  Special  Committee  on  Academic  Freedom  and  National  Security  in 
a  Time  of  Crisis,  Oct.  2003. 
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and  National  Security  (CSCANS),  whose  purpose  is  to  clarify  “the  national  interest 
with  regard  to  these  issues,  and  inform  the  policy  debate  on  the  relationship  between 
science  and  national  security.”220  The  Academy  also  established  a  Committee  on  a 
“New  University-Government  Partnership  for  Science  and  Security,”  to  hold  regional 
meetings 

that  will  1)  bring  together  faculty  and  research  administrators,  government 
officials  from  research  and  national  security  agencies,  and  congressional 
members;  and  2)  focus  on  a.  restrictive  clauses  in  federal  contracts  and 
grants;  b.  dissemination  of  scientific  information;  c.  sensitive  but 
unclassified  information;  and  d.  the  management  of  biological  agents  in 
academic  research.221 

A  legal  author  argued  that  including  SBU  information  clauses  in  contracts  is 
“constitutionally  suspect,”  especially  with  regard  to  university-conducted  research 
that  is  supported  as  an  essential  public  good.  Use  of  the  term  SBU  raises  "...  the 
possibility  of  government  censorship  of  private  speech  ...  the  primary  danger 
addressed  by  the  Free  Speech  Clause,”222  and  imposes  “.. .  a  prior  restraint  on  private 
speech,”223  even  though  there  may  not  be  enough  of  a  threshold  level  of  national 
security  danger  to  overcome  the  right  to  free  speech.  These  considerations, 

...  suggest ...  that  SBU  secrecy  controls  that  reach  into  university  discourse  pose 
a  particular  danger  because  of  the  special  role  of  the  university  in  promoting 
innovation  and  expression  outside  of  government  control  and  because,  with 
respect  to  scientific  information  in  particular,  the  university  has  a  special  role  in 
conducting  research  for  the  puipose  of  expansion  and  dissemination  of 
knowledge.  Although  the  government  shapes  expression  on  university  campuses 
in  many  ways,  the  expectation  is  that  expression  not  identified  as  the 
Government’ s  will  be  unconstrained.  The  special  role  of  the  university  thus  must 
weigh  in  the  constitutional  balance.224 

According  to  this  author,  government  may  have  a  legitimate  constitutional  right  to 
protect  SBU  information  in  contracts,  if  there  is  sufficient  national  security  reason, 
if  uniform  definitions  linked  to  specific  levels  of  national  security  danger  are  used, 
if  there  are  review  procedures,  and  if  the  method  used  to  control  information  is  the 
least  restrictive  necessary  to  fulfill  the  government’s  legitimate  interests.225 

Some  say  that  placing  controls  on  unclassified  information  could  negatively 
affect  governmental  relations  with  the  private  sector  and  procurement  for  information 
technology  and  other  contracts.  New  ideas  for  information  security  technologies, 


220  From  [http://www7.nationalacademies.org/rscans/]. 

221  Available  at  [http://www8.nationalacademies.org/cp/projectview.aspx?key=177.]. 

222  Leslie  Gielow  Jacobs,  “A  Troubling  Equation  in  Contracts  for  Government  Funded 
Scientific  Research:  ‘Sensitive  But  Unclassified’  =  Secret  But  Unconstitutional,”  Journal 
of  National  Security  Law  and  Policy,  2005,  p.  127. 

223  Jacobs,  op.  cit.,  p.  128. 

224  Jacobs,  op.cit.,  p.  156. 

225  Jacobs,  op.  cit.,  pp.  157-159. 
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including  hard  technology,  software  and  biotech-related  products,  often  come  from 
overseas,  as  do  bids  for  contracts  to  handle  sensitive  agency  information. 
Reportedly,  foreign  vendors  will  have  trouble  complying  with  contracts  that  need  to 
meet  information  security  standards.  It  has  been  reported  that  requests  for  proposals 
(RFPs)  coming  from  the  Defense  Security  Services  involving  data  processing  for  its 
SBU  information  say  that  employees  of  potential  vendors  need  to  be  U.S.  citizens, 
with  background  checks.  DHS  and  DOT  procurement  rules  involving  sensitive 
information  specify  background  checks  for  prime  or  subcontractors  and  that 
nondisclosure  forms  have  to  be  signed.226 

There  is  also  the  view  that  scientists  who  voluntarily  agree  to  pre-research  and 
prepublication  reviews  of  research  articles  could  harm  a  university’s  ability  to 
conduct  fundamental  research  involving  foreigners  as  permitted  by  National  Security 
Decision  Directive- 189  (NSDD-189)  and  related  regulations.  (For  additional 
information,  see  a  previous  section  of  this  report  entitled  “Summary  of  Federal 
Policies  to  Classify  or  Control  Scientific  and  Technical  Information.”  According  to 
Robert  Hardy  of  the  nonprofit  Council  on  Governmental  Relations 

...  by  placing  restrictions  on  publishing  ...  the  [Department  of  Homeland 
Security-funded  centers  of  excellence]  could  risk  losing  the  privileges  that 
universities  enjoy  because  they  do  fundamental  research  —  defined  a  work 
whose  results  are  ‘published  and  shared  broadly  within  the  scientific 
community.’  One  important  privilege  is  being  able  to  involve  foreign  nationals 
in  any  research  project  without  obtaining  a  government  license.227 

Critique  of  Nondisclosure  Requirements 

A  number  of  agencies  require  employees,  contractors,  and  users  of  sensitive 
information  to  sign  nondisclosure  agreements  or  impose  penalties  for  disclosing  SBU 
and  related  information.  Some  critics  contend  that  language  relating  to  penalties  is 
often  vague,  varies  from  agency  to  agency,  and  that  some  agencies’  mandatory 
nondisclosure  provisions  and  associated  penalties  for  disclosure  might  weaken 
federal  employee  rights  and  whisteblower  protections.  Some  agencies’  policies  are 
illustrated  in  Appendix  A,  elsewhere  in  this  report,  and  in  other  reports.228  For 
example,  nondisclosure  agreements  are  authorized  in  P.L.  107-296  relating  to  sharing 
of  SHSI  with  state  and  local  government  personnel  (sec.  892)  and  for  handling  SSI 
(sec.  1601).  Section  214  of  the  law  allows  penalties  consisting  of  imprisonment, 
fines,  administrative  penalties  or  dismal  from  employment  for  employees  of  DOT 
and  DHS  who  inappropriately  share  CII  information.  DHS  Management  Directive 


226  Alison  Diana,  “Law  Expert  Marcia  Madsen  on  the  Government  IT  Goldmine,” 
Technewsworld ,  Mar.  5,  2004. 

227  Yudhijit  Bhattacharjee,  “Scientific  Openness,”  Should  Academies  Self-censor  Their 
Findings  on  Terrorism,”  Science,  May  19,  2006,  p.  994. 

228  For  example,  see,  CRS  Report  RL33494,  op.  cit;  National  Security  Archive,  Pseudo- 
Secrets  ”  A  Freedom  of  Information  Act  Audit  of  the  U.  S.  Government 's  Policies  on  Sensitive 
Unclassified  Information,  Washington,  Mar.  2006,  and  GAO,  Information  Sharing,  The 
Federal  Government  Needs  to  Establish  Policies  and  Processes  for  Sharing  Terrorism- 
Related  and  Sensitive  but  Unclassified  Information ,  April  2006,  GAO  Report  GAO-06-385. 


CRS-54 


1 1042. 1  prescribes  penalties  consisting  of  administrative  or  disciplinary  actions  for 
DHS  employees  and  contractors  for  disclosing  SBU  information.  DHHS  has 
nondisclosure  provisions  and  penalties  for  disclosure  of  select  agent  information  and 
other  sensitive  information,  as  does  the  CDC  for  SBU  information  and  the  USDA, 
for  sensitive  information.  The  Department  of  the  Treasury  requires  that  certain 
bidders  sign  nondisclosure  agreements  for  SBU  information.229  The  Department  of 
Energy  (DOE)  and  the  Nuclear  Regulatory  Commission  (NRC)  may  penalize 
unauthorized  release  of  certain  types  of  SBU  information  and  unclassified  nuclear 
information.  In  addition,  users  of  federal  SBU  information  exchange  systems  are 
subject  to  nondisclosure  provisions  and  usually  are  required  to  have  clearances  to 
view  such  information.  (For  details,  see  Appendix  B  to  this  report.)  The  General 
Services  Administration  attaches  to  business  solicitations  detailed  explanation  of 
how  its  bidding  documents  will  be  available  only  to  authorized  firms  that  have 
completed  forms  allowing  them  access  to  “sensitive  but  unclassified”  bidding 
information.  Such  firms  need  to  complete  a  document  attesting  that  they  will 
undertake  reasonable  care,  and  limit  dissemination  to  authorized  users  who  have  a 
“need  to  know.”230 

Penalties  for  disclosing  SBU  information  can  be  more  punitive  than  for 
disclosing  classified  information  according  to  J.  William  Leonard,  the  director  of  the 
Information  Security  Oversight  Office,  (ISOO)  at  the  NARA: 

For  example,  should  a  Federal  employee  disclose  certain  unclassified 
information  -  specifically  Critical  Infrastructure  Information  -  in  an  unauthorized 
manner,  that  individual  now  is  subject  to  criminal  sanctions  under  Section  2 14(f) 
of  the  Homeland  Security  Act.  At  the  same  time,  an  unauthorized  disclosure  of 
certain  types  of  classified  information  by  that  same  employee  would  not 
necessarily  be  subject  to  criminal  sanctions.  The  reason  for  such  disparity  is  not 
readily  apparent.231 

The  Project  on  Government  Oversight,  a  watchdog  group,  criticized  the  revised 
DHS  employee  nondisclosure  policy  released  in  January  2005,  saying  it  is  “still 
problematic”  because  DHS  "...  prevents  employees  from  disclosing  information  that 
is  available  to  the  public  under  the  Freedom  of  Information  Act  [FOIA].”232 

Legislation  Introduced  Affecting  Disclosure  Policies.  Legislation  was 
introduced  which  may  be  responsive  to  some  of  these  concerns.  During  the  109lh 
Congress,  S.  494,  “The  Federal  Employee  Protection  of  Disclosures  Act,”  which  was 
reported  without  amendment  on  May  25, 2005  (S.Rept.  109-72),  would  among  other 
things  protect  any  federal  employee  who  lawfully  discloses  evidence  of  waste,  abuse 
or  mismanagement,  including  disclosure  of  classified  information  if  made  to 


229  For  example,  Department  of  the  Treasury,  “Solicitation  TIRNO-04-R-0000 1 ,  Conditional 
Access  to  Sensitive  but  Unclassified  Information  Non-disclosure  Agreement,”  [for  a 
Treasury  Communications  Enterprise  (TCE)  procurement]. 

230  See,  for  example  “Z  —  Chiller  Replacement,  Christie  and  Federal  Bldg.,  Huntington, 
WV,”  FPO  Daily ,  May  22,  2003. 

231  Leonard,  June  12,  2003,  op.  cit. 

232  Strohm,  Jan.  12,  2005,  op.  cit. 
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Members  of  Congress  or  staff  authorized  to  receive  it.  It  also  would  authorize  the 
Merit  Systems  Protection  Board  to  review  charges  for  retaliation  for  whistleblowing; 
require  all  agency  nondisclosure  forms  to  contain  language  preserving  the  right  of 
federal  employees  to  disclose  certain  information,  and  amend  the  Homeland  Security 
Act  of  2002  to  allow  federal  employees  to  disclose  independently  obtained  critical 
infrastructure  information  for  specified  whistleblower  purposes.  The  House  version 
of  the  “Federal  Employee  Protection  of  Disclosures  Act,”  H.R.  1317,  was  amended 
and  reported  on  June  29,  2006,  by  the  House  Committee  on  Government  Reform 
(H.Rept.  109-544,  pt.  1),  and  then  referred  to  the  House  Committee  on  Armed 
Services  and  the  House  Committee  on  Homeland  Security  on  September.  11,  2006. 
This  proposal  and  a  related  bill,  H.R.  3097,  would  protect  any  federal  employee  who 
lawfully  discloses  what  he  or  she  believes  is  credible  evidence  of  waste,  abuse,  or 
gross  mismanagement,  without  restriction  as  to  time,  place,  form,  motive,  context, 
or  prior  disclosure.  Exempt  under  H.R.  1317,  would  be  information  held  by  such 
agencies  as  the  Federal  Bureau  of  Investigation,  the  Central  Intelligence  Agency,  the 
Defense  Intelligence  Agency,  the  National  Geospatial-Intelligence  Agency,  and  the 
National  Security  Agency. 

S.  888,  introduced  on  April  21,  2005,  “Homeland  Security  Information 
Guidance  and  Training  Act  of  2005,”  and  referred  to  the  Committee  on  Homeland 
Security  and  Governmental  Affairs,  would  require  DHS,  among  other  things,  to 
establish  best  practices  for  state  and  local  governments  in  making  determinations 
about  public  disclosure  and  sharing  among  emergency  management  personnel  of 
sensitive  nonfederal  homeland  security  information  and  to  provide  training  based  on 
a  best  practices  curriculum.  No  further  action  has  occurred. 

SBU  Information  in  Relation  to  FOIA 

Agencies  differ  about  whether  or  not  SBU  information  is  automatically  exempt 
from  disclosure  under  FOIA.  This  contentious  policy  issue  has  been  addressed  in 
existing  law,  Department  of  Justice  (DOJ)documents,  congressional  hearings,  and  in 
statements  issued  by  the  American  Bar  Association,  among  others.  Contrasting 
differences  in  interpretation  characterize  this  issue.  As  noted,  the  CSA  specified  it 
“was  not  to  be  construed  to  constitute  authority  to  withhold  information  sought 
pursuant  to  the  FOIA,  or  to  authorize  any  federal  agency  to  limit,  restrict,  regulate, 
or  control,  among  other  actions,  the  disclosure,  use,  transfer,  or  sale  of  any 
information  disclosable  under  the  FOIA....”233  According  to  the  DOJ’s  Freedom  of 
Information  Act  Guide,  May  2004,  SBU  and  SHSI  are  not  to  be  exempt  from 
disclosure  under  FOIA,  except  for  CII  (which  is  protected  pursuant  to  P.F.  107-296) 
and  other  kinds  of  sensitive  information  protected  by  statute  —  which  now  includes 
SSI  (pursuant  to  P.F.  107-296),  some  land  remote  sensing  geospatial  information 
(pursuant  to  P.F.  108-375),  and  some  information  controlled  by  the  Nuclear 
Regulatory  Commission.  As  Relyea  and  Seifert  conclude  “[i]t  seems  unlikely, 
however,  that  ‘sensitive  but  unclassified’  homeland  security  information,  per  se, 


1 33  101  Stat.  1730:  40  U.S.C.  paragraph  759  note,  subsequently  repealed  in  1996,  1 10  Stat. 
680,  As  cited  in  Relyea  and  Seifert,  op.  cit. ,  p.  19. 
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could  be  protected  from  disclosure  pursuant  to  the  FOIA  because  it  does  not  appear 
to  fall  clearly  within  any  of  that  statute’s  exemptions.”234 

Nevertheless,  there  is  ambiguity.  For  instance,  as  described  above,  the  DOJ 
Freedom  of  Information  Act  Guide  describes  broad  court  interpretations  that  may 
permit  justifiable  withholding  of  sensitive  information  under  FOIA.235  Also,  the 
Administration  has  issued  instructions  to  agencies  to  attempt  to  use  FOIA  to  protect 
information  if  release  would  harm  homeland  security.  The  Card  memo,  discussed 
earlier  and  which  guides  agencies  on  handling  of  SBU  information,  referred  to  the 
Attorney  General’ s  memo  of  October  2001 ,  which  instructed  agencies,  when  making 
discretionary  decisions  to  determine  if  information  is  exempt  from  disclosure  under 
a  FOIA  exemption,  to  withhold  information  if  it  is  legal  to  do  so.  It  emphasized  that 
agencies  should  to  try  to  withhold  sensitive  information  under  FOIA  to  protect  the 
nation  from  terrorist  threat,  and  said  that  the  Department  of  Justice  would  support 
agency  determinations. 

Agencies  also  differ  on  how  requests  to  release  information  under  FOIA  will  be 
handled.  Illustrations  of  the  variety  in  federal  agencies’  proposed  or  existing  policies 
are  given  in  Appendix  A  and  are  outlined  here.  The  Nuclear  Regulatory 
Commission  (NRC)  issued  proposed  rules  in  February  2005  for  “Safeguards 
Information”  (SGI)  —  unclassified  sensitive  information  deemed  too  sensitive  for 
public  release,  which  it  said  should  be  withheld  from  public  access  and  released  only 
to  those  with  a  “need  to  know”  even  though  it  was  not  classified.236  In  2005 
guidance,  CDC  said  its  SBU  information  is  information  that  is  exempt  from 
disclosure  under  FOIA.237  This  was  modified  in  2006  to  require  that  if  a  request  is 
received  for  a  document  marked  SBU,  it  should  be  reviewed  to  determine  if  it 


234  Relyea  and  Seifert,  op.  cit.,  p.  20. 

235  According  to  the  DOJ  Freedom  of  Information  Act  Guide,  May  2004,  SHSI  and  SBU  are 
not  automatically  to  be  classified  pursuant  to  Executive  Order  12958  and  “[tjerms  such  as 
‘SHSI’  and  ‘SBU’  describe  broad  types  of  potentially  sensitive  information  that  might  not 
even  fall  within  any  of  the  FOIA  exemptions....”  See  the  discussion  on  exemption  one. 
Furthermore,  use  of  these  labels  does  not  provide  protection  from  disclosure  under  any 
exemption.  When  discussing  exemption  two,  the  Guide  reviewed  the  ability  to  withhold  CII 
data  under  exception  3  and  exemption  2’s  protections  for  such  homeland  security-related 
information  as  agency  vulnerability  assessments  and  evacuations  of  CII.  It  noted  that 
“[sjince  September  11,  2001,  all  courts  that  have  considered  nonclassified  but  nonetheless 
highly  sensitive  information,  such  as  container-inspection  data  from  a  particular  port ...  or 
maps  of  the  downstream  flooding  consequences  of  dam  failure  ...  have  justifiably 
determined  —  either  under  exception  2,  or,  upon  a  finding  of  a  law  enforcement  connection 
...  under  exemptions  7  (e)  or  7  (f)  —  that  such  information  must  be  protected  from 

disclosure . ”  The  same  discussion  noted  that  under  exemption  two,  agency  officials 

should  protect  internal  agency  records  that  could  cause  harm. 

236  As  authority,  it  cited  section  147  of  the  Atomic  Energy  Act  of  1954  as  amended  and 
specifically,  10  CFR  2.390.  For  additional  information  about  the  NRC  process,  see 
Appendix  A  to  this  report. 

237  See  Appendix  A  to  this  report.  The  source  is  Sensitive  Information  Protection  Manual, 
attached  to  a  directive.  “Sensitive  But  Unclassified  Information,”  Manual  Guide-Information 
Security  CDC-02,  July  22, 2005,  not  paginated,  see  about  p.3,  8,  10.  First  reported  in  “CDC 
Issues  Policy  on  Sensitive  But  Unclassified  Info,”  Secrecy  News,  Aug.  2,  2005. 
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qualifies  for  an  exemption  under  FOIA  and  withholding.238  DHS’s  management 
directive  11042.1  on  SBU  said  all  information  identified  as  SBU  should  be  labeled 
FOUO  and  would  include  any  information  that  might  adversely  affect  the  national 
interest  or  the  conduct  of  federal  programs;  information  so  labeled  and  requested 
under  FOIA  would  be  released  only  on  a  case-by-case  basis,  will  not  be  distributed 
to  unauthorized  persons,  and  should  be  protected  and  disseminated  only  to  those  with 
a  “need  to  know.”  The  DHS  draft  directive  on  categorical  exemptions  for 
environmental  impact  information,  dated  June  14,  2004,  proposed  exclusion  for 
disclosure  under  FOIA.  Some  parts  of  DOD  automatically  exempt  SBU  information 
from  FOIA.  Thus,  according  to  the  Defense  Security  Service,  “[t]he  term  sensitive 
unclassified  information  as  used  here  is  an  informal  designation  applicable  to  all 
those  types  and  forms  of  information  that,  by  law  or  regulation,  require  some  form 
of  protection  but  are  outside  the  formal  system  for  classifying  national  security 
information.  As  a  general  rule,  all  such  information  may  be  exempt  from  release  to 
the  public  under  the  Freedom  of  Information  Act.”239  Other  parts  of  DOD  use  the 
FOUO  designation  only  for  documents  already  exempt  from  FOIA.240 

DOE  equates  SBU  and  OUO,  requiring  that  information  be  exempt  under  one 
of  FOIA  exemptions  two  through  nine,  and  exempts  all  SBU  information,  which  it 
calls  OUO,  from  disclosure  under  FOIA,  except  that  it  says  it  will  be  made  available 
to  those  with  a  “need  to  know”  for  their  jobs.241  The  Federal  Energy  Regulatory 
Commission  (FERC)  issued  a  final  rule  outlining  access  procedures  to  critical  energy 
infrastructure  information  (CEII),  an  SBU  category  it  uses  only  for  information  that 
is  exempt  from  disclosure  under  FOIA  but  that  it  makes  available  to  those  with  a 
“need  to  know.”  A  congressional  witness  criticized  this  policy: 

The  most  glaring  problem  with  FERC’s  policy  is  that  it  is  based  on  the 
assumption  that  this  information  is  exempt  from  disclosure  under  FOIA. 
However,  FERC’s  claims  are  based  not  on  any  court-accepted  interpretation  of 
FOIA,  but  on  the  Justice  Department’s  potpourri  of  possible  exemptions.  ...The 
other  problem  is  that  FERC  wanted  to  continued  to  share  this  information  during 
its  proceedings,  requiring  it  to  create  a  non-FOIA  process  of  disclosure  to  those 
parties  with  a  ‘need  to  know,’  which  required  parties  to  sign  a  nondisclosure 


238  CDC,  Sensitive  But  Unclassified,  February  2006,  as  posted  at 
[http://www.fas.org/sgp/othergov/cdc-sbu-2006.html],  by  Steven  Aftergood,  Secrecy  News, 
Feb. 27, 2006. 

239  Defense  Security  Service,  Employees  Guide  to  Security  Responsibilities,  “Protecting 
Sensitive  Unclassified  Information,”  http://www.dss.mil/search- 
dir/training/csg/security/S2unclas/Intro.htm. 

240  “Background  on  Sensitive  But  Unclassified  Information,”  OMB  Watch, 
[http://www.ombwatch.org/article/archive/238?TopicID=2], 

241  See  Appendix  A.  Source:  DOE,  “Commission  on  Science  and  Security  in  the  21st 
Century,  DOE  accompanied  by  Recommendations,  June  20, 2002.  The  statement  referenced 
a  DOE  document  Subject:  Identifying  and  Protecting  Official  Use  Only  Information,  DOE 
Order  M  471.3-1,  Apr.  9,  2003  (which  is  current  through  Apr.2007). 
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agreement.  It  is  difficult  to  see  how  information  that  was  previously  public  could 
become  non-public  based  solely  on  agency  regulations.242 

Reportedly  in  2006,  controversy  arose  between  Connecticut’s  State  Attorney 
General  and  FERC  about  the  state’s  attempt  to  access  information  regarding  a 
proposed  Liquified  Natural  Gas  (LNG)  plant.  The  state  sought  information  to  review 
design  and  safety  considerations  and  to  determine  whether  building  the  plant  would 
endanger  the  health  and  safety  of  state  residents.  Reportedly,  FERC  says  the 
information  is  not  publicly  releasable  because  it  is  critical  energy  infrastructure 
information  (CEII),  a  category  of  “sensitive  but  unclassified,”  which  it  says  is  not 
releasable  under  FOIA. 243 

According  to  the  USDA,  its  SBU  information,  some  of  which  it  calls  SSI 
information,  is  releasable  under  FOIA,  but  that  it  will  process  FOIA  requests  in 
accord  with  the  instructions  in  the  Attorney  General’s  2001  memo  which  instructs 
agencies  to  protect  the  release  of  sensitive  information  under  FOIA  and  to  be 
cognizant  especially  of  exemptions  two,  three,  four  and  seven.244 

As  indicated  above,  some  agencies  require  a  form  of  clearance  for  persons  to  see 
SBU  information  or  a  determination  that  they  have  a  “need  to  know,”  which  could 
imply  exemption  from  public  disclosure.245  Thomas  S.  Blanton,  Director  of  the 
George  Washington  University  National  Security  Archive,  testified  at  the  March  2, 
2005  hearing  that  use  of  the  term  SBU  thwarts  the  intent  of  FOIA  and  almost  forces 
government  bureaucrats  to  withhold  such  information: 

We  have  heard  from  officials  at  the  Department  of  Justice  that  these  new  pseudo 
classifications  are  simply  guidance  for  safeguarding  information,  and  do  not 
change  the  standards  under  the  Freedom  of  Information  Act.  But  such  a  claim 
turns  out  to  be  mere  semantics:  In  every  case,  the  new  secrecy  stamps  tell 
government  bureaucrats  “don’ t  risk  it” ;  in  every  case,  the  new  labels  signal  “find 
a  reason  to  withhold.”  In  another  TSA  response  to  an  Archive  FOIA  request,  the 
agency  released  a  document  labeled  “Sensitive  But  Unclassified”  across  the  top, 
and  completely  blacked  out  the  full  text,  including  the  section  labeled 
“background”  -  which  by  definition  should  have  segregable  factual  information 
in  it.  The  document  briefed  Homeland  Security  Secretary  Tom  Ridge  on  an 
upcoming  meeting  with  the  Pakistani  Foreign  Minister,  but  evidently  officials 
could  not  identify  any  national  security  harm  from  release  of  the  briefing,  and 
fell  back  on  the  new  tools  of  SBU,  together  with  the  much-abused  “deliberative 
process”  exemption  to  the  Freedom  of  Information  Act.246 


242  Testimony  by  Harry  Hammitt  before  the  House  Subcommittee  on  National  Security, 
Emerging  Threats  and  international  Relations,  Mar.  2,  2005,  p.  7. 

243  “Sensitive  But  Unclassified  Info:  You  Can’t  Have  It.  Why?  Because  They  Say  So.”  OMB 
Watch,  Feb.  22,  2006. 

244  See  Appendix  A. 

245  See  Appendix  A. 

246  Available  at  [http://www.gwu.edu/~nsarchiv/news/20050302/index.htm]. 
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Congressional  Action,  to  Clarify  FOIA,  with  Implications  for  SBU. 

On  February  13,  2006,  the  American  Bar  Association  House  of  Delegates  adopted 
a  recommendation,  accompanied  by  a  background  report,247  that  “urges  the  Attorney 
General  of  the  United  States  to  issue  a  memorandum  to  Freedom  of  Information  Act 
(FOIA)  officials  at  federal  agencies  clarifying  that  the  designation  of  agency  records 
as  ‘sensitive  but  unclassified’  cannot  be  a  basis  for  withholding  agency  documents 
from  release.”  The  recommendation  also  called  for  establishing  a  standard  policy  for 
“  designating  information  as  “sensitive  but  unclassified;  ...  the  internal  handling 
of  such  information;  ...taking  into  account  the  sensitive  nature  of  such  information; 
and  ...  ensuring  the  release  of  such  information  unless  exempt  under  FOIA.” 

Legislative  action  has  been  taken  to  clarify  the  relationship  of  some  SBU 
information  to  FOIA.  For  instance,  as  noted  above,  in  2004,  Congress  tightened 
controls  on  some  geospatial  information  by  creating  a  new  FOIA  exemption  three 
category  to  permit  the  withholding  of  some  land  remote  sensing  data  (Sec.  914  of 
P.L.  108-375).  In  contrast,  during  the  109th  Congress,  H.R.  426,  reported  out  of 
committee  on  June  27,  2005,  would  expand  the  applicability  and  use  of  remote 
sensing  and  other  geospatial  information  to  address  state,  local,  regional,  and  tribal 
agency  needs.  No  further  action  has  occurred. 

Additional  legislation  related  to  these  subjects  in  the  109th  Congress  included 
S.  622,  the  “Restoration  of  Freedom  of  Information  Act  of  2005.”  It  would  have 
amended  P.L.  107-296,  the  Homeland  Security  Act  of  2002,  by  limiting  voluntarily 
submitted  critical  infrastructure  information  provisions  in  the  law  that  create  new 
exemptions  from  FOIA;  by  modifying  the  FOIA  exemption  to  information  submitted 
as  CII  records  to  prevent  all  CII  information  submitted  by  industry  from  being 
categorized  broadly  as  an  agency  record  subject  to  withholding  under  FOIA;  by 
allowing  records  to  be  shared  within  and  between  government  agencies;  by 
decriminalizing  actions  of  legitimate  whistleblowers  who  might  use  such 
information;  and  by  not  restricting  congressional  use  or  disclosure  of  voluntarily 
submitted  critical  infrastructure  information.  No  action  was  taken  on  the  bill,  which 
was  referred  to  the  Committee  on  the  Judiciary. 

Senator  John  Cornyn,  Chairman  of  the  Senate  Judiciary  Subcommittee  on  the 
Constitution,  Civil  Rights,  and  Property  Rights,  addressed  the  alleged  lack  of 
oversight  of  FOIA  and  possible  over-classification  and  over- withholding  of  federal 
information.248  Subsequently,  the  Senate  Judiciary  Committee’s  Subcommittee  on 
Terrorism,  Technology,  and  Homeland  Security  held  a  hearing  on  March  15,  2005 
on  this  topic  and  on  S.  394,  the  “Openness  in  Government  and  Freedom  of 
Information:  Examining  the  Open  Government  Act  of  2005.”  The  bill  was  reported 
out  of  the  Senate  Judiciary  Committee  favorably  without  amendment  on  September 
21,  2006.  Among  other  things,  it  would  amend  FOIA  with  respect  to  oversight  of 
requests  for  information  and  stricter  enforcement  of  a  20-day  deadline  to  respond  to 
FOIA  requests  for  release  of  information.  It  would  also  have  increased  oversight  of 


247  Available  at  [http://www.fas.org/sgp/news/2006/02/aba-sbu.pdf]. 

248  John  Cornyn,  “Ensuring  the  Consent  of  the  Governed:  America’s  Commitment  to 
Freedom  of  Information  and  Openness  in  Government,”  LB  J  Journal  of  Public  Affairs,  Fall 
2004,  pp.  7-10. 
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DHS’s  handling  of  critical  infrastructure  information  submitted  by  private 
corporations.  A  related  house  bill  is  H.R.  867,  reported  amended  by  a  subcommittee 
to  the  House  Committee  on  Government  Reform  on  September  27,  2006. 

S.  589,  the  “Faster  FOIA  Act  of  2005,”  would  have  strengthened  FOIA  by 
creating  an  advisory  commission  tasked  with  proposing  ways  to  reduce  delays  in 
responding  to  FOIA  requests  and  would  ensure  the  efficient  and  equitable 
administration  of  FOIA  throughout  the  federal  government.  It  was  reported  favorably 
without  written  report  and  approved  by  the  Senate  Judiciary  Committee  on  March  17, 
2005.  The  House  companion,  H.R.  1620  was  referred  to  the  House  Committee  on 
Government  Operations.  No  further  action  occurred  in  the  House  or  the  Senate. 

During  the  109th  Congress,  S.  1181  required  that  any  future  legislation  to 
establish  a  new  exemption  to  FOIA  must  be  stated  explicitly  within  the  text  of  the 
bill.  Specifically,  any  future  attempt  to  create  a  new  so-called  “(b)(3)  exemption”  to 
FOIA  must  specifically  cite  that  section  of  FOIA.  The  bill  set  congressional  intent 
that  documents  should  be  available  to  the  public  under  FOIA  unless  Congress 
explicitly  creates  an  exception.  It  would  have  prohibited  applying  the  FOIA  to 
matters  specifically  exempted  from  disclosure  by  a  statute  (other  than  open  meetings 
under  the  Government  in  the  Sunshine  Act)  enacted  after  July  1,  2005,  that 
specifically  cite  this  Act  and  either:  (1)  requires  that  the  matters  be  withheld  from  the 
public  in  such  a  manner  as  to  leave  no  discretion  on  the  issue;  or  (2)  establishes 
particular  criteria  for  withholding  or  refers  to  particular  types  of  matters  to  be 
withheld.  The  Senate  approved  the  bill  on  June  24,  2005;  subsequently,  it  was 
referred  to  the  House  Committee  on  Government  Reform. 

S.  1873,  the  “Biodefense  and  Pandemic  Vaccine  and  Drug  Development  Act  of 
2005,”  introduced  in  the  109th  Congress,  would  have  “prepare[ed]  and  strengthen[ed] 
the  biodefenses  of  the  United  States  against  deliberate,  accidental,  and  natural 
outbreaks  of  illness”  and  would  establish  a  new  Biomedical  Advanced  Research  and 
Development  Agency  (BARDA),  whose  activities  and  information  would  be 
categorically  exempt  from  disclosure  under  the  Freedom  of  Information  Act  (FOIA). 
The  bill  was  reported  amended  without  written  report  by  the  Senate  Committee  on 
Health,  Education,  Labor,  and  Pensions,  on  October  25.  There  has  been  opposition 
to  such  blanket  exemption  because  reportedly,  no  other  federal  agency  has  such 
universal  exemption  from  FOIA.249 

A  revised  bill,  S.  2564,  introduced  on  Aril  6,  2006,  would  have  modified  the 
FOIA  to  permit  release  of  information  unless  the  Secretary  of  Homeland  Security 
determines  disclosure  of  scientific  or  technical  data  created  or  obtained  while  doing 
countermeasures  R&D  might  “ ...  reveal  vulnerabilities  of  existing  medical  or  public 
health  defenses  against  biological,  chemical,  nuclear,  or  radiological  threats”  (Sec. 
319L(e)(l)(A).)  The  House  companion  bill,  H.R.  5533,  which  also  included  this 


249  Eugene  Russo,  “Biodefense  Bill  Flawed,  Says  American  Society  For  Microbiology,  Other 
Critics,”  Research  Policy  Alert,  Nov.  9,  2005;  “Senate  Bill  Would  Increase  Biodefense 
Secrecy,”  at  [http://www.fas.Org/irp/congress/2005_cr/s  1873.html], 
[http://pogoblog.typepad.com/pogo/2005/10/bioshielding_in.html],  and 
[http://www.armscontrolcenter.org/archives/002155.php]. 
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provision,  passed  the  House  on  September  26,  2006  (H.Rept.  109-656).  Questions 
surrounding  precise  definitions  of  the  vague  term  “vulnerabilities”  have  not  been 
resolved.250 

Federal  Information  Systems  and  Automated  Identification 
Processes  Used  for  Sensitive  Information 

Recognition  of  federal  agency  use  of  the  category  SBU  is  illustrated  by  the  need, 
often  mentioned  in  GAO  reports,  for  agencies  to  share  sensitive  information 
especially  relating  to  homeland  security,251  and  the  fact  that  agencies  are  developing 
implementation  policies  and  information  systems  to  control  and  transmit  this 
category  of  information  among  those  with  a  need  to  know  it.  In  addition,  some 
agencies  have  begun  to  develop  encrypted  or  protected  federal  information  systems 
to  transmit  SBU  information  to  persons  who  have  received  approval  from  an 
originator  or  other  form  of  clearance  to  use  them,  including  first  responders,  who 
usually  need  to  sign  nondisclosure  statements  and  could  be  punished  for  violations 
of  transmittal  to  third  parties.  (For  additional  information,  see  Appendix  B  on 
“Illustrations  of  Federal  Information  Systems  Created  to  Transmit  Sensitive  But 
Unclassified  Information  Systems.”)252 

In  addition,  some  agencies  are  using  visualization  analysis  or  other  automated 
processes  to  identify  and  control  sensitive  information.  For  instance,  the  Idaho 
National  Laboratory,  sponsored  by  DOE  in  cooperation  with  Pacific  Northwest 
National  Laboratory,  reportedly  has  developed  an  automated  system,  a  software 
program  called  Mozart,  that  automates  identification  of  sensitive  information  on  a 
website  by  “...using  advanced  intelligence  analysis  algorithms,  [and]  provides  a 
report  that  can  be  used  to  determine  if  there  is  sufficient  information  on  a  site’s 
Internet  web  pages  to  compromise  sensitive,  proprietary,  or  classified  activities  or 
support  adversarial  targeting  of  individuals  and  programs.”253  As  another  example, 
the  Department  of  Energy  contracted  with  a  research  group  at  the  University  of 
Nevada,  Las  Vegas,  to  develop  and  install  on  3,000  computers  a  program  called  the 
“Homeland  Security  Classifier.”  It  reads  and  sorts  electronic  text  documents  “by 


250  See  for  additional  information,  Project  BioShield ,  by  Frank  Gottron,  CRS  Report 
RS21507. 

251  See,  for  instance,  GAO,  High-Risk  Series,  An  Update,  Jan.  2005,  GAO-05-207,  pp.  15-20, 
which  addresses  why  the  federal  government  needs  to  share  homeland  security  information 
and  to  standardize  policies.  See  also  Tim  Starks  and  Zack  Phillips,  “Washington  and 
Critical  Industries  Still  Feeling  Their  Way  Toward  a  System  to  Share  Security  Data,” 
CQHomeland  Security,  Dec.  14,  2004. 

252  See  also  CRS  Report  RL32597,  op.  cit. 

253  Greg  Griffin,  “Program  Management  Perspective:  Sensitive  Unclassified  Information,” 
The  Dragon ’s  Breath,  April  2003.  See  also  [http://wwww.pnl.gov/isrc/mozart.faq.html] .  See 
also,  a  document  issued  by  the  Pacific  Northwest  National  Laboratory,  a  Department  of 
Energy  affiliated  national  laboratory,  in  “F.A.Q.  Mozart,”  at 
[http://www.pnl.gov/isrc/mozart/faq.html]. 
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applying  the  same  rules  used  by  human  classifiers”  to  identify  sensitive  nonclassified 
information,  or  to  categorize  a  document  as  releasable.254 

Inconsistency  in  Agencies’  Processes  To  Identify  SBU 
Information 

Federal  agencies  use  a  variety  of  different  concepts  of  SBU  information  and 
methods  to  restrict  public  access  to  it.  Labels  include  such  terms  as  FOUO,  SSI, 
SHSI,  CEII,  OUO,  “limited  official  use”  (LOU),  “law  enforcement  sensitive,”  and 
“controlled  unclassified  information.”  A  CDC  manual  identifies  at  least  14  such 
labels  that  federal  agencies  use,  and  other  inventories  contain  50  or  more  such 
categories.255 

As  illustrated  by  the  descriptions  in  Appendix  A,  while  some  agencies  use  the 
FISMA-mandated  processes  to  categorize  information  and  implement  information 
security  protections  based  on  the  level  of  risk  associated  with  unauthorized  access, 
some  agencies  continue  to  use  a  definition  of  “sensitive”  that  is  based  on  the  CSA 
definition,  which  leads  to  identification  and  implementation  policies  that  are  based 
on  type  or  content  of  information  or  threat.  For  instance,  the  Department  of 
Homeland  Security,  in  its  SBU  management  directive  11042.1,  included  the 
Computer  Security  Act  and  its  definition  of  “sensitive”  as  the  first  item  under  the 
heading  “Policy  and  Procedures”  that  govern  the  directive,  but  said  “  ...  with  the 
exception  of  certain  types  of  information  protected  by  statute,  specific,  standard 
criteria  and  terminology  defining  the  types  of  information  warranting  designation  as 
‘sensitive  information’  does  not  exist  within  the  federal  Government.  Such 
designations  are  left  to  the  discretion  of  each  individual  agency.”256 

The  OMB  still  refers  to  the  concept  of  “sensitive”  as  it  appears  in  the  CSA  in 
its  guidance  for  information  security,  Appendix  HI,  “Security  of  Federal  Automated 
Information  Resources,”  of  OMB  Circular  A- 130,  Transmittal  Memorandum  #4, 
Management  of  Federal  Information  Resources,  which  is  dated  November  28, 2000, 
but  is  identified  on  the  OMB  website  as  the  current  circular.257  It  says  that  “[t]he 


254  Cate  Weeks,  “Finding  Needles  in  the  Haystack,”  UNLV  Magazine ,  Summer  2004. 

255  Sensitive  Information  Protection  Manual,  attached  to  the  directive.  “Sensitive  But 
Unclassified  Information,”  Manual  Guide-Information  Security  CDC-02,  as  first  reported 
in  “CDC  Issues  Policy  on  Sensitive  But  Unclassified  Info,”  Secrecy  News,  Aug.  2,  2005. 
A  private  group  identified  about  50  such  categories.  See,  Secrecy  Report  Card  2005, 
Quantitative  Indicators  of  Secrecy  in  the  Federal  Government,  op.  cit.,  pp.  9-10.  See  also 
Sara  E.  Kelley,  “A  Selected  Bibliography  on  ‘Sensitive  But  Unclassified’  and  Similarly 
Designated  Information  Held  by  the  Federal  Government,”  Dec.  17,  2005,  at 
[http://www.llrx.com/features/sbu.htm] .  Another  author  says  there  is  evidence  of  the  federal 
use  of  over  60  federal  SBU  terms:  Laura  Gordon-Murnane,  “ShhhH:  Keeping  Current  on 
Government  Secrecy,”  Searcher,  Jan.  2006. 

256  MD  11042.1,  op.  cit.,  pp.  3-5. 

257  The  appendix  establishes  “a  minimum  set  of  controls  to  be  included  in  Federal  automated 
information  security  programs;  assigns  Federal  agency  responsibilities  for  the  security  of 
automated  information;  and  links  agency  automated  information  security  programs  and 
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Appendix  ...  incorporates  requirements  of  the  Computer  Security  Act  of  1987  ...  and 
responsibilities  assigned  in  applicable  national  security  directives.”  This  circular 
may  be  confusing  because,  while  it  acknowledges  the  need  for  agencies  to  use 
broader  NIST  risk-based  procedures  and  guidance  to  provide  information  security  for 
all  information,258  it  does  not  mention  the  FISMA  Act  or  the  specific  concepts  it 
embodied.  The  Appendix  continues,  at  times,  to  refer  to  the  narrower  CSA  concept 
of  sensitive  information  that  was  rendered  moot  with  passage  of  FISMA.  For 
instance,  it  continues  to  refer  to  the  CSA’s  requirements  for  agencies  to  protect 
computer  systems  containing  sensitive  information,  and  for  the  Secretary  of 
Commerce  to  “develop  and  issue  appropriate  standards  and  guidances  for  the  security 
of  sensitive  information  in  federal  computer  systems.”259 

In  a  somewhat  obscure  document  —  a  “note”  of  July  3,  2003  —  the  OMB  gave 
specific  guidance  to  agency  Chief  Information  Officers  to  use  FISMA  processes.260 
The  attached  sheets,  entitled  “Certification  and  Accreditation  —  What  An  Agency 
Can  Do  Now,”  refer  to  FISMA  and  certain  pertinent  NIST  publications  and  say  “The 
need  for  determining  the  sensitivity  of  the  information  (risk  level)  as  it  relates  to 
high,  medium,  and  low  needs  for  the  confidentiality,  integrity,  and  availability  of  the 
data  ...  are  required  in  NIST  SP  80-18  and  must  be  part  of  the  system  security 
plan.”261  It  also  referred  agencies  to  a  then  forthcoming  document,  NIST  SP  800-37, 
and  other  documents  that  it  instructed  agencies  to  use.  It  admonished  that  “FISMA 
requires  assessments  of  the  risk  and  magnitude  of  harm  that  could  result  from  the 
unauthorized  access,  use,  disclosure,  disruption,  modification  or  destruction  of 
information  and  information  systems  that  support  the  operations  and  assets  of  the 
agency.”262 


257  (...continued) 

agency  management  control  systems  established  in  accordance  with  OMB  Circular  No.  A- 
123.” 

258  The  Circular  says,  “The  focus  of  [previous  bulletins]  was  on  identifying  and  securing 
both  general  support  systems  and  applications  which  contained  sensitive  information.  The 
Appendix  requires  the  establishment  of  security  controls  in  all  general  support  systems, 
under  the  presumption  that  all  contain  some  sensitive  information,  and  focuses  extra  security 
controls  on  a  limited  number  of  particularly  high-risk  or  major  applications”(Section  B. 
Descriptive  information).  On  the  same  page  it  says  “The  Computer  Security  Act  requires 
that  security  plans  be  developed  for  all  federal  computer  systems  that  contain  sensitive 
information.  Given  the  expansion  of  distributed  processing  since  passage  of  the  Act,  the 
presumption  in  the  Appendix  is  that  all  general  support  systems  contain  some  sensitive 
information  which  requires  protection  to  assure  its  integrity,  availability,  or  confidentiality, 
and  therefore  all  systems  require  security  plans.” 

259  Appendix  III  to  OMB  Circular  A- 1 30. 

260  “Note  to  Agency  Chief  Information  Officers  on  “Guidance  on  Certification  and 
Accreditation,”  from  Mark  Forman,  administrator,  OMB  Office  of  E-Government  and  IT, 
July  3,  2003. 

261  Attachment  to  Note,  July  3,  2003,  op.  cit.,  p.2. 

262  Attachment  to  Note,  July  3,  2003,  op.  cit.,  p.  3. 
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Among  other  major  federal  agencies,  the  Department  of  the  Army  and  DOD 
appear  to  base  some  major  concepts  of  SBU  on  the  CSA  definition  of  “sensitive” 
information  that  is  not  classified.  DHHS  clearly  appears  to  use  a  FISMA-based  risk 
process;  USDA  uses  a  mixed  FISMA  and  CSA  approach;  agencies  that  use  their  own 
definitions  include  DOE,  NRC,  DOD,  NRC,  and  FERC.  (For  an  illustration  of  the 
definitions  and  procedures  agencies  use  to  define  SBU  information  and  processes  to 
control  it,  see  Appendix  A,  “Illustrations  of  Federal  Agency  Controls  on  Sensitive 
Information.”) 

Activities  Relating  To  Developing  a  Standard  Definition  of 
SBU  Information 

Critics  have  often  decried  the  proliferation  of  SBU  concepts  and  the  resulting 
differences  in  implementation  policies  —  which  make  it  difficult  for  researchers, 
agency  staff  who  label  and  protect  information,  and  public  users  to  know  what 
information  is,  or  is  to  be,  labeled  SBU.  For  instance.  Representative  Henry  A. 
Waxman,  ranking  Minority  Member  of  the  House  Committee  on  Government 
Reform,  in  a  March  1 , 2005  letter  to  the  Chairman  of  the  Committee  ’  s  Subcommittee 
on  National  Security,  Emerging  Threats,  and  International  Relations,  criticized  the 
increasing  proliferation  of  “pseudoclassification”  categories  like  SBU  and  the  fact 
that  not  all  documents  marked  SBU  would  be  legitimate  threats  to  national  security 
if  released.263  During  a  hearing  held  on  March  2,  2005,  on  “Emerging  Threats: 
Overclassification  and  Pseudoclassification,”  he  remarked  that  the  term  SBU  was 
used  inappropriately  to  withhold  information  from  the  public  who  need  to  know  it 
or  to  prevent  the  public  from  seeing  inaccurate  or  politically  embarrassing 
documents.264  The  DHS,  he  contended,  used  the  SBU  designation  to  withhold  the 
identity  of  the  ombudsman  that  the  public  is  supposed  to  contact  about  airline 
complaints.265  Mr.  Waxman  concluded  in  his  letter  to  the  chairman,  which  was  made 
part  of  the  hearing  record,  that  “...  the  executive  branch  is  creating  new  categories  of 
‘sensitive  but  unclassified’  information  that ...  lack  a  statutory  basis,  and  there  is  no 
federal  entity  monitoring  their  use.”266  Another  witness  at  the  March  2005  hearing 
testified  that  “[ 1 1 hcse  ill-defined  categories  —  be  they  ‘sensitive  but  unclassified,’ 
‘sensitive  security  information,’  or  some  form  of  ‘critical  infrastructure  information’ 
—  almost  always  do  more  harm  than  good.  They  ...  are  based  on  ...  an  antithetical 
proposition  in  our  democracy  —  that,  when  in  doubt,  always  favor  secrecy  over 
openness.”267 


263  Rep.  Henry  Waxman  letter  to  Hon.  Christopher  Shays,  Chairman  of  the  Subcommittee, 
Mar.  1,  2005.  See  also  Rebecca  Carr,  “Government  Secrecy  Grows  With  Use  of  New 
Stamps,”  The  Oxford  Press  News,  Mar.  3,  2005. 

264  Testimony  of  Rep.  Henry  Waxman,  Emerging  Threats:  Overclassification  and  Pseudo- 
Classification,  Hearing  before  the  Subcommittee  on  National  Security,  Emerging  Threats, 
and  International  Relations  of  the  House  Committee  on  Government  Reform,  Mar.  2,  2005, 
109lh  Congress,  1st  session. 

265  Waxman,  testimony,  Mar.  2,  2005,  op.  cit. 

266  Waxman,  letter  to  Hon.  Christopher  Shays,  Mar.  1,  2005,  op.  cit.,  p.  12. 

267  According  to  testimony  by  Harry  Hammitt  before  the  House  Subcommittee  on  National 
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Dr.  Ron  Ross,  a  principal  author  of  NIST’s  security  standards  mandated  by 
FISMA,  commented  that  there  are 

dozens  of  different  definitions  of  “sensitive  unclassified  information”  across  the 
federal  government.  Originators,  or  information  owners,  have  discretion  in 
identifying,  marking,  controlling,  protecting,  and  releasing  sensitive  unclassified 
information  resulting  in:  uneven  and  inconsistent  protection  of  information 
assets;  varying  degrees  of  risk  resulting  from  different  release  criteria;  and 
inability  to  share  information  across  organizational  boundaries  with  confidence 
and  trust.268 

William  J.  Leonard,  the  director  of  the  Information  Security  Oversight  Office 
(ISOO)  at  the  National  Archives  and  Records  Administration  (NARA),  which 
conducts  periodic  inspections  and  reviews  classification  and  declassification  plans, 
criticized  the  "...  lack  of  common  understanding  of  what  exactly  sensitive 
information  is,  how  to  identify  it,  and  how  and  when  to  protect  it.”269  He  emphasized 
that  the  federal  government  needs  a  reasonable  policy  to  share  or  withhold 
information  and  “in  many  instances,  ‘sensitive  but  unclassified’  is  a  label  without 
meaning  that  is  misused  by  officials  who  lack  the  proper  ‘training,  background  or 
understanding’  to  decide  what  to  withhold.”270  He  is  reported  to  have  said  “The  DHS 
policy  ‘creates  an  environment  exactly  opposite  ...  [from]  what  we’re  trying  to  do  in 
the  name  of  information  sharing....  It  creates  an  environment  of  uncertainty.’”271 
Workers  in  government  agencies  are  confronted  with  a  proliferation  of  many  SBU 
protection  “regimes”  and  “...  will  prefer  to  err  on  the  side  of  caution,  or  withholding 
information,  out  of  confusion  and/or  a  fear  of  getting  in  trouble.”272  According  to 
Leonard, 

...  a  water  works  operator  may  submit  a  report  of  anomalous  activity  involving 
the  water  authority.  Standing  by  itself,  that  information  may  appear  innocuous; 
however,  it  may  be  a  critical  link,  for  example,  to  a  public  health  official  dealing 
with  his  or  her  own  anomaly.  That  public  health  official  should  be  able  to  access 
and  become  aware  of  that  information  from  the  waterworks  operator  without  a 


267  (...continued) 

Security,  Emerging  Threats,  and  International  Relations,  Mar.  2,  2005,  p.  8. 

268  Ron  Ross,  “Protecting  Controlled  Unclassified  Information,  A  Strategy  for  Effectively 
Applying  the  Provisions  of  FISMA,  Presentation  to  the  Joint  Futures  Laboratory,”  [2005], 

p.  11. 

269  William  J.  Leonard,  “Speech  to  Classification  Managers,”  June  2004,  “Challenges  to 
Information  Sharing  and  Protections  Post  9/1 1,”  In  Special  Report:  Government  Security 
Panel  Report  at  http://www.cip.umd.edu/special/govsecpanel_report_29july04.htm. 

270  R.  Jeffrey  Smith,  May  29,  2004,  op.  cit. 

271  “DHS  Non-Disclosure  Agreements  Stir  Concern,”  Secrecy  News,  Dec.  6,  2004,  citing 
Eileen  Sullivan,  “Searches  and  Gag  Orders:  Homeland  Security’s  Unprecedented  Campaign 
Cloaks  Unclassified  Info,”  Federal  Times,  Dec.  6,  2004.  See  also  “Homeland  Secrecy,” 
Washington  Post,  Dec.  3,  2004,  p.  A26. 

272  “Challenges  to  Information  Sharing  and  Protections  Post  9/11,”  In  Special  Report: 
Government  Security  Panel  Report  at  http://www.cip.umd.edu/special/govsecpanel_report 
_29july04.htm.  (J.  William  Leonard,  Statement.) 
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supposedly  omniscient  authority  in  the  middle  making  singular  decisions  as  to 
who  should  receive  the  information  and  who  should  not.  The  essence  of 
information  sharing  is  that  the  entity  on  the  “edge”  should  be  in  a  position  to 
receive  the  same  information  as  those  at  the  “center.273 

He  wrote  that  consistent  standards  require  a  common  lexicon,  a  common 
governmental  authority  responsible  to  “revalidate  and  synchronize  the  various 
existing  regimes  controlling  unclassified  information,”274  and  "...  a  simplified 
framework  that  can  serve  as  a  template  for  the  identification,  control  and  protection 
of  unclassified  information  whose  dissemination  is  controlled.”  Among  its  potential 
benefits,  such  a  framework  would  have  “great  specificity  with  respect  to  what 
information  is  covered  and  what  is  not  covered  [and]  limits  on  who  could  designate 
information  as  controlled.  It  would  allow  discretion  to  not  use  controls  “even  if  the 
information  is  eligible.”  It  would  have  “[b]uilt-in  criteria  that  must  be  satisfied  in 
order  to  place  controls  on  dissemination,”  recognize  due-diligence  standards  about 
handling  and  protecting  information,  a  fixed  time  duration  for  control,  and  an  appeal 
process.”275 

As  noted  above,  the  ABA  House  of  Delegates  adopted  a  resolution  on  February 
13,  2006,  that  among  other  things  called  for  establishment  of  a  standard  policy  to 
designate,  handle,  and  release  such  information  except  if  it  is  exempt  under  FOIA. 

Recognition  of  the  need  for  basic  standardization  of  homeland  security-related, 
sensitive,  unclassified  information  was  made  by  Congress  when  it  enacted  section 
892  of  P.L.  107-296,  which  mandated  Presidential  issuance  of  guidance  to  define 
procedures  to  protect  sensitive  but  unclassified  homeland  security  information. 
Guidelines  have  not  been  issued  as  of  the  publication  date  of  this  report.  Also,  as 
already  noted  in  this  report,  in  December  2005,  the  President  issued  instructions  to 
federal  agencies  to  inventory  all  their  SBU  information,  the  authorities  invoked  to 
label  it  SBU,  and  practices  used  to  protect  it,  with  the  objective  of  generating  uniform 
government- wide  standards  and  procedures  for  designating,  marking,  and  handling 
SBU  information.  In  addition,  Congress  has  already  addressed  certain  aspects  of  how 
to  define  SBU  information,  and  additional  proposals  are  under  consideration. 

GAO  Study  on  SSI.  During  the  108th  Congress,  responding  to  a  request  by 
Representative  David  Obey  and  Representative  Martin  Olav  Sabo,  the  GAO  assessed 
the  DHS’s  use  of  the  concept  of  sensitive  security  information  (SSI)  —  specifically 
the  procedures  to  categorize  information  as  SSI,  procedures  to  remove  the  SSI  label, 
review  procedures  to  check  the  appropriateness  of  the  SSI  designation;  and 
organizational  functions  relating  to  taking  SSI  actions.276  The  Members  of  Congress 


273  “Information  Sharing  and  Protection:  A  Seamless  Framework  or  Patchwork  Quilt?” 
Remarks  at  the  National  Classification  Management  Society’s  Annual  Training  Seminar, 
June  12,  2003,  available  at  the  website  of  U.S.  National  Archives  and  Records 
Administration. 

274  Leonard,  June  12,  2003,  op.  cit. 

275  Leonard,  June  12,  2003,  op.  cit. 

276  “Audit  of  Sensitive  Security  Information  Requested,”  OMB  Watch,  Sept.  21,  2004, 
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were  concerned  about  why  information  that  had  already  been  released  to  the  public, 
or  seemingly  nonsensitive  information  such  as  government  telephone  directories,  was 
given  the  label  SSI  and  about  how  the  TSA  distinguished  between  information  that 
needs  to  be  protected  and  information  the  public  needs  for  its  own  safety.  According 
to  Congressman  Sabo,  “GAO  found  that  TSA  has  no  internal  control  procedures  for 
SSI  designation,  and  that  potentially  every  TSA  employee  can  stamp  something 
‘SSI.’”277  The  final  report  was  issued  as  Transportation  Security  Administration: 
Clear  Policies  and  Oversight  Need  for  Designation  of  Sensitive  Security  Information, 
GAO-05-677,  June  2005. 

P.L.  109-90  Requires  DHS  To  Improve  Use  of  SSI  Categories  and 
Report  to  Congress.  In  2005,  Congress  enacted  legislation,  based  on  language 
originating  in  the  House  and  offered  by  Mr.  Sabo  as  an  amendment  to  the  DHS 
FY2006  appropriations  bill,  “to  clarify  ‘SSI’  policy  and  procedures  including  which 
staff  may  appropriately  have  designation  authority.”  According  to  the  Conference 
Report,  H.Rept.  109-241,  “...  because  of  insufficient  management  controls, 

information  that  should  be  in  the  public  domain  may  be  unnecessarily  withheld  from 
public  scrutiny....”278  Section  537  on  “Sensitive  Security  Information”  of  the 
enactment,  P.L.  109-90,  requires  the  DHS  Secretary  to  ensure  that  there  is  an  official 
within  each  appropriate  office  with  clear  authority  to  “designate  documents  as  SSI 
and  to  provide  clear  guidance  as  to  what  is  SSI  material  and  what  is  not.”  It  noted 
that  a  limited  number  of  appointed  officials  pursuant  to  49  CFR  1520.5(b(l)-(16)) 
have  authority  to  designate  such  information.  Section  537  also  required  the  Secretary 
to  report  to  the  Appropriations  “...  Committees  not  later  than  December  31,  2005  on 
“(1)  Department- wide  policies  for  designating,  coordinating  and  marking  documents 
as  SSI;  (2)  Department- wide  auditing  and  accountability  procedures  for  documents 
designated  and  marked  as  SSI;  (3)  the  total  number  of  SSI  coordinators  within  the 
Department;  and  (4)  the  total  number  of  staff  authorized  to  designate  SSI  documents 
within  the  Department.”  Also,  by  January  31,  2006,  the  Secretary  of  Homeland 
Security  was  to  report  to  the  Appropriations  committees  the  titles  of  all  documents 
that  were  designated  by  DHS  as  SSI  in  their  entirety  between  October  1,  2005  and 
December  31,  2005,  and  for  each  year  thereafter.  About  1,000  items  were  so 
identified  for  the  three-month  period.279  The  Secretary  is  also  charged  with  providing 
examples  of  DHS  guidance  on  designation  of  the  16  SSI  markings  that  will  “serve 
as  the  primary  basis  and  authority  for  the  marking  of  DHS  information  as  SSI  by 
covered  persons”  (Sec.  537). 


276  (...continued) 

[http://www.ombwatch.org/article/articleprint/2409/-l/83].  See  also  Steven  Aftergood, 
Secrecy  News,  June  11,  2004  and  Sept.  23,  2004. 

277  Office  of  Rep.  Sabo,  “Sabo  Amendment  Addresses  Abuse  of  ‘SSI’  Designation  Within 
the  DHS,”  press  release.  May  10,  2005. 

278  U.S.  Congress,  Committee  of  Conference,  Making  Appropriations  for  the  Department 
of  Homeland  Security  for  the  Fiscal  Year  Ending  September  30,  2006,  and  for  Other 
Purposes,  109th  Congress,  1st  sess.,  [On  H.R.  2360],  H.Rept.  109-241,  Sept.  2005,  p.  37. 

279  “DHS  Lists  ‘Sensitive  Security  Information’  Titles,  Secrecy  News,  Sept.  7,  2006.  The 
report  is  available  at: [http://www.fas.org/sgp/othergov/dhs/ssi-titles.pdf]. 
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A  report  prepared  by  the  DHS  Under  Secretary  for  Management  and  sent  to 
Representative  Sabo  on  January  3,  2006,  responded  to  items  1  and  2  by  referring  to 
DHS  Management  Directive  11056,  dated  December  16,  2005,  which  establishes 

DHS’s  policy  for  SSL  The  report  provided  factual  data  in  response  to  items  3  and 

^  280 

P.L.  109-525  Limits  Excessive  Use  of  the  SSI  Label.  Section  525  of 
P.L.  109-295,  the  FY2007  DHS  appropriations  law,  limits  excessive  use  of  the  SSI 
labeling  category  especially  by  the  TSA  by  requiring  review  of  information  labeled 
as  SSI  if  a  document  so  labeled  is  requested  to  be  released.  It  also  requires  SSI  that 
is  three  years  old  and  falls  outside  of  certain  TSA-related  SSI  categories  to  be 
released  unless  the  DHS  Secretary  identifies  why  it  should  not  be  released.  The  law 
also  mandates  that  DHS  provide  compliance  reports  to  the  two  appropriations 
committees  and  that  GAO  prepare  a  report  on  implementation  of  these  requirements. 
It  permits  access  to  SSI  information  for  civil  court  proceedings. 

Studies  and  Hearings  on  SBU  During  2006.  In  March  2006,  GAO 
released  Information  Sharing,  The  Federal  Government  Needs  to  Establish  Policies 
and  Processes  for  Sharing  Terrorism-related  and  Sensitive  but  Unclassified 
Information ,281  in  response  to  a  request  made  by  Representative  Tom  Davis, 
Chairman,  House  Committee  on  Government  Reform;  Representative  Todd  Platt, 
Chairman,  House  Committee  on  Government  Reform,  Subcommittee  on  Government 
Management,  Finance  and  Accountability;  Representative  Christopher  Shays,  House 
Committee  on  Government  Reform,  Subcommittee  on  National  Security,  Emerging 
Threats,  and  International  Relations;  and  Senator  Susan  Collins,  Chairman,  Senate 
Committee  on  Homeland  Security  and  Governmental  Affairs.  The  GAO  inventoried 
how  26  federal  agencies  handled  SBU  information  in  response  to  requests.  It 
assessed  agency  use  of  such  information  control  terms  as  SBU,  FOUO,  LOU,  law 
defense  controlled  unclassified  information,  and  others.  The  study  concluded  that 

The  agencies  that  GAO  reviewed  are  using  56  different  sensitive  but  unclassified 
designations  (16  of  which  belong  to  one  agency)  to  protect  information  that  they 
deem  critical  to  their  missions  —  for  example,  sensitive  law  or  drug  enforcement 
information  or  controlled  nuclear  information.  For  most  designations  there  are 
no  governmentwide  policies  or  procedures  that  describe  the  basis  on  which  an 
agency  should  assign  a  given  designation  and  ensure  that  it  will  be  used 
consistently  from  one  agency  to  another.  Without  such  policies,  each  agency 
determines  what  designations  and  associated  policies  to  apply  to  the  sensitive 
information  it  develops  or  shares.  More  than  half  the  agencies  reported 
challenges  in  sharing  such  information.  Finally,  most  of  the  agencies  GAO 
reviewed  have  no  policies  for  determining  who  and  how  many  employees  should 
have  authority  to  make  sensitive  but  unclassified  designations,  providing  them 
training  on  how  to  make  these  designations,  or  performing  periodic  reviews  to 
determine  how  well  their  practices  are  working.  The  lack  of  such  recommended 
internal  controls  increases  the  risk  that  the  designations  will  be  misapplied.  This 


280  See  http://www://www.pogo.org/p/government/go-06090 1-091  l.html. 
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could  result  in  either  unnecessarily  restricting  materials  that  could  be  shared  or 

inadvertently  releasing  materials  that  should  be  restricted.282 

To  correct  this  situation,  GAO  recommended  that  the  Director  of  National 
Intelligence  (DNI)  assess  progress,  address  barriers,  and  propose  changes,  and  that 
OMB  work  with  agencies  on  policies,  procedures,  and  controls  to  help  achieve  more 
accountability.”283 

Similarly,  the  George  Washington  University-affiliated  National  Security 
Archive  released  a  survey  of  the  SBU  Information  labeling  practices  of  37  agencies, 
showing  that  eight  used  10  control  markings  based  on  statutory  authority  and  24  used 
28  markings  that  derived  form  internal  policies,  procedures  or  practices.284 

In  another  report,  entitled  Managing  Sensitive  Information:  Departments  of 
Energy  and  Defense  Policies  and  Oversight  Could  Be  Improved,2*5  GAO  made  a 
series  of  recommendations  for  DOD  staff  to  designate  the  FOIA  exemptions  on 
which  an  FOUO  designation  is  based,  that  both  agencies  clarify  appropriate  use  of 
the  OUO  or  FOUO  designation  so,  for  example,  to  not  conceal  “agency 
mismanagement,  that  both  agencies  improve  training  and  oversight  for  staff 
responsible  for  making  such  designations.286  These  findings  and  others  were 
discussed  at  a  hearing  held  on  March  14,  2006  by  the  House  Subcommittee  on 
National  Security,  Emerging  Threats,  and  International  Relations  of  the  Committee 
on  Government  Reform.287 

At  a  hearing  held  on  May  10,  2006  before  the  House  Homeland  Security 
Intelligence  Subcommittee,  Thomas  McNamara,  program  manager  for  the 
Information  Sharing  Environment,  who  reports  to  the  Director  of  National 
Intelligence,  testified  that  executive  agencies  used  more  than  60  categories  to  label 
sensitive  information  and  that  there  are  no  government-wide  definitions  or 
procedures  to  designate  such  information.  His  office  is  tasked  with  establishing 
standardized  polices  and  processes  to  share  terrorist-related  information  and  to 


282  “Information  Sharing,  The  Federal  Government  needs  to  Establish  Policies  and  Processes 
for  Sharing  Terrorism-Related  and  Sensitive  but  Unclassified  Information,”  GAO  Highlights 
[http://www.gao.gov/cgi-bin/getrpt7GAO-06-385]. 

283  Highlights  for  GAO-06-385,  Ibid. 

284  National  Security  Archive,  Pseudo-Secrets  ”  A  Freedom  of  Information  Act  Audit  of  the 
U.,S.  Government’ s  Policies  on  Sensitive  Unclassified  Information,  Washington,  Mar.  2006. 

285  GAO,  Managing  Sensitive  Information:  Departments  of  Energy  and  Defense  Policies  and 
Oversight  Could  Be  Improved,  GAO-06-369,  March  2006. 

286  GAO-06-369,  p.  12. 

287  Press  release.  House  Committee  on  Government  Reform,  Subcommittee  National 
Security,  Emerging  Threats,  and  International  Relations,  Hearing  on  “Drowning  in  a  Sea 
of  Faux  Secrets:  Policies  on  Handling  of  Classified  and  Sensitive  Information, ”Mar 
14,  2006.  See  hearing  on  Drowning  in  a  Sea  of  Faux  Secrets:  Policies  on  Handling  of 
Classified  and  Sensitive  Information.  The  hearing  is  Serial  No.  109-167,  available  at 
[http://www.house.gov/reform]. 
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recommend  standardized  procedures  to  handle  SBU.288  He  described  actions  taken 
by  his  office  to  respond  to  the  President’s  December  16,  2005  memo  to  agencies 
regarding  information  sharing  and  development  of  standards  for  SBU  information. 

Legislation  Introduced  on  “Pseudo-Classification” 

H.R.  2331,  the  “Restore  Open  Government  Act  of  2005,”  was  introduced  in  the 
109th  Congress.  It  is  similar  to  H.R.  5073  of  the  108th  Congress  and  called  for  an  end 
to  the  use  of  SBU  and  FOUO  and  related  terms289  without  defining  them.  Among 
other  things,  it  would  have  revoked  the  Ashcroft  and  the  Card  memos  released  in 
2001  and  would  seek  to  curtail  excessive  classification.  It  directed  the  Archivist  of 
the  United  States  to  (1)  report  on  the  use  of  pseudo-classification  designations;  and 
(2)  promulgate  regulations  banning  unnecessary  pseudo-classification  designations 
and  standards  for  withholding  nonclassified  information.  It  would  have  restored 
presumption  of  disclosure  under  FOIA,  facilitate  public  access  to  critical 
infrastructure  information,  address  alleged  excessive  over-classification,  and  make 
it  easier  to  challenge  agencies  that  are  accused  of  improperly  withholding 
information.  The  bill  was  referred  to  two  committees,  House  Government  Reform 
and  House  Homeland  Security.  No  action  was  taken  on  the  bill. 

The  Executive  Branch  Reform  Act  of  2006,  H.R.  5112,  a  bipartisan  bill  was 
introduced  jointly  on  April  27,  2006,  by  Representative  Tom  Davis  and 
Representative  Henry  Waxman,  It  was  reported  by  the  House  Committee  on 
Government  Reform  (H.Rept.  109-445).  It  directed  agencies  to  submit  to  the 
Archivist  of  the  United  States  and  specified  congressional  committees  a  report 
describing  the  use  of  “pseudo”  classification  designations.  The  Archivist  would  have 
been  mandated  to  develop  recommendations  to  improve  access  to  information  that 
would  ban  “pseudo”  classification  designations  that  are  not  defined  by  federal  statute 
or  elective  order  except  if  needed. 

Option  To  Monitor  Agency  Use  of  Risk-based  Standards  for 
Sensitive  Unclassified  Information 

As  noted  above,  some  agencies  appear  to  have  lagged  in  implementing 
procedures  as  prescribed  in  FISMA  to  protect  information,  including  sensitive 


288  Strohm,  Chris,  “Congress  Urged  to  Help  Make  More  ‘Sensitive’  Information  Public,” 
GovExec.com ,  May  11,  2006.  For  testimony,  see,  “Building  on  the  Information  Sharing 
Environment:  Addressing  Challenges  of  Implementation,  “By  Ambassador  Thomas  E. 
McNamara  before  the  Subcommittee  on  Intelligence,  Information  Sharing,  and  Terrorism 
Risk  Assessment,  House  Committee  on  Homeland  Security,  May  10,  2006.  Available  at 
[http://www.fas.org/irp/congress/2006_hr/05 1006mcnamara],  For  further  information,  see 
CRS  Report  RL33494  pp.  1 1,  12. 

289  According  to  section  5  of  the  bill,  “‘pseudo-classification  designations’  means 
information  control  designations,  including  ‘sensitive  but  unclassified’  and  ‘for  official  use 
only,’  that  are  not  defined  by  Federal  statute,  or  by  an  Executive  order  relating  to  the 
classification  of  national  security  information,  but  that  are  used  to  manage,  direct,  or  route 
Government  information,  or  control  the  accessibility  of  Government  information,  regardless 
of  its  form  or  format.” 
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information,  with  controls  based  on  risk  of  release.290  Some  may  ask,  why  have  they 
not  complied  yet?  Agencies  may  not  know  that  the  CSA  “sensitive  information” 
definition  was  rendered  moot,  especially  because  major  agencies,  including  OMB 
and  DHS,  still  reference  CSA  and  use  the  term  in  various  documents  and  guidances. 
The  CSA  definition  may  be  easy  to  use  since  it  is  broad  and  has  been  used  for  almost 
20  years.  It  is  possible  that  some  agencies  may  not  be  fully  aware  that  the  E- 
Govemment  Act  extends  to  handling  of  all  types  of  information,  including  what  they 
categorize  as  SBU  or  sensitive  information.  Slow  compliance  with  the  FISMA 
guidance  may  also  be  due  to  the  facts  that  it  took  several  years  for  NIST  to  prepare 
and  release  the  volumes  in  its  FIPS  series  and  for  agencies  to  accept  and  adjust 
procedures  to  adopt  the  risk-based  NIST  information  control  procedures.  These 
procedures  may  be  more  difficult  to  implement  that  traditional  information  control 
procedures  that  apply  labels  based  on  the  content  of  information.  Also,  according 
to  GAO,  Inspector  General  reports,  and  testimony  in  various  congressional  hearings, 
many  agencies  have  not  yet  formally  incorporated  an  overall  risk  management 
program  into  their  information  security  policies  because  they  are  slow  to  implement 
the  legislative  mandates  or  are  finding  it  too  expensive  to  comply  with  the  mandates 
of  the  E- Government  Act.291 

Some  information  handlers  may  be  wary  of  the  NIST  processes  because  they 
believe  that  risk-based  standards  prescribed  by  NIST  are  too  loose  for  their 
circumstances,  the  threats,  and  the  potentially  malevolent  uses  of  information 
confronting  their  agency.  They  may  believe  that  the  use  of  such  standards  would 
permit  the  release  of  sensitive  information  that  should  be  protected  or  that  risk-based 
analysis  may  not  be  rigorous  enough.292  Also,  agencies  may  be  aware  of  NIST  risk- 
based  standards,  but  may  choose  to  use  other  procedures  since  the  law  allows 
agencies  to  use  more  stringent  procedures  to  protect  information  if,  in  their 
determination,  agencies  recognize  the  NIST  standards  as  mandatory  minium 
standards. 

Despite  the  fact  that  OMB  does  not  require  formal,  detailed  risk  analyses  to  be 
conducted,  some  agencies  may  not  be  eager  to  comply  with  FISMA,  because  they 
might  believe  that  risk-based  analyses  might  be  expensive  to  conduct,  or  might  lead 
to  categorizing  a  lot  of  information  (whose  impact  levels  might  be  mixed  for  the 
three  categories  of  confidentiality,  accessability,  and  integrity)  at  the  highest  level  of 
impact  or  risk  (for  any  one  of  the  three  impacts).  Although  this  might  lessen  the  cost 


290  For  example,  see  U.S.  GAO,  Information  Security,  Department  of  Health  and  Human 
Sendees  Needs  to  Fully  Implement  Its  Program,  February  2006,  GAO-06-267;  see  also, 
Information  Security,  Federal  Agencies  Show  Mixed  Progress  in  Implementing  Statutory 
Requirements ,  Statement  of  Gregory  C.  Wilshusen,  Mar.  16,  2006,  GAO-06-527T. 

291  FISMA  is  Title  III  of  the  E-Government  Act.  See  Benton  Ives-Halperin,  “Effectiveness 
of  Cybersecurity  Law  Questioned,”  CQ  Homeland  Security,  Nov.  15,  2005. 

292  For  a  discussion  of  the  purported  limitations  with  respect  to  computer  security,  see 
Benton  Halperin,  “Risk-Based  Analysis  Might  Not  Work  in  Electronic  World,  Experts  Say,” 
CQ  Homeland  Security,  Nov.  23,  2005. 
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of  protection  (or  raise  it),  it  might  also  require  protecting  some  information  which 
does  not  need  to  be  safeguarded  at  such  a  stringent  level.293 

Two  oversight  issues  are  suggested  by  these  observations.  One  is  to  monitor 
federal  agency  compliance  with  FISMA,  especially  the  use  of  NIST-generated,  risk- 
based  standards  and  information  protection  procedures  to  identify  and  protect  all 
information,  including  sensitive  unclassified  information.  Another  is  that  in  light  of 
the  potential  confusion  resulting  from  the  language  of  Appendix  IE  to  OMB  Circular 
A- 130  regarding  the  basis  of  agency  information  security  responsibilities,  Congress 
may  seek  to  oversee  updating  of  the  appendix  document. 

Recommendations  to  Institute  Better  Governance  of  SBU 
Information  Procedures 

A  number  of  recommendations  have  been  made  relating  to  improving 
procedures  used  to  administer  SBU  controls.  It  is  possible  that  some  of  these  issues 
may  be  addressed  by  the  executive  branch  pursuant  to  the  President’s  memo  of 
December  16,  2005. 

Limit  the  Number  of  Persons  Who  Can  Designate  SBU.  As  noted 
above,  especially  in  the  comments  of  ISSO  Director  Leonard  and  others,  many 
governmental  officials  can  stamp  a  document  SBU.  It  was  reported  that  although  a 
limited  number  of  government  personnel  (estimated  at  more  than  4,000)294  can  stamp 
classified  documents  “top  secret”  (which  can  be  declassified  after  review  according 
to  a  regular  schedule,  or  whose  classification  can  be  appealed),  many  more 
employees  can  stamp  documents  SBU  (whose  designation  is  not  on  a  schedule  to  be 
reviewed  or  changed  and  for  which  there  are  no  appeal  process.)  Specific  comments 
in  this  regard  were  made  about  DHS’s  SBU  policies: 

the  new  FOUO  information  policy  is  actually  more  far-reaching  than  national 
security  classification  policy.  Thus,  classified  information  can  only  be  generated 
by  officials  who  have  been  authorized  by  the  President,  either  directly  or 
indirectly  by  delegation.  But  any  DHS  employee  or  contractor  can  designate 
information  a  FOUO  if  it  falls  within  eleven  broad  categories.  Moreover, 
managers  and  supervisors  can  also  designate  additional  information  as  FOUO 
even  if  it  falls  outside  of  those  categories.  Further,  the  classification  system 
provide  for  an  oversight  mechanisms  through  the  Information  Security  Oversight 
Office.  No  provision  for  oversight  of  the  new  FOUO  policy  is  included.295 

One  option  for  policymakers  may  be  to  consider  limiting  the  number  of  persons  who 
can  designate  information  as  SBU.  This  option  might  have  other  consequences.  It 
could  force  agencies  to  develop  formal  systems  to  categorize  SBU  information,  with 


293  Conversation  with  Ron  Ross,  NIST,  Feb.  2005. 

294  Paul  McMasters,  “Your  Right  to  Know,”  Star —  Tele  gram,  corn,  Mar.  13,  2005. 

295  “Dept  of  Homeland  Security  Tightens  Grip  on  Unclassified  Info,”  Secrecy  News,  June 
11,  2004).  See  also  comments  of  Aftergood  and  others  in  “Challenges  to  Information 
Sharing  and  Protections  Post  9/11 ,”  In  Special  Report:  Government  Security  Panel  Report , 
http://www.cip.umd.edu/special/govsecpanel_report_29july04.htm. 
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the  designation  responsibility  limited  to  a  few  selected  individuals,  similar  to  national 
security  information  “classification”  procedures.  Such  a  development  could  also 
legitimize  SBU  designation  as  a  formal  classification  category  and  cause  added 
expense  to  agencies. 

Options  To  Centralize  Policy  Control  for  SBU  Information.  The 

President’s  December  16,  2005  memo  appears  to  have  centralized  the  development 
of  SBU  policies  in  the  Director  of  National  Intelligence  (DNI),  who  is  to  develop 
policy  “in  coordination  with  the  Secretaries  of  State,  the  Treasury,  Defense, 
Commerce,  Energy,  Homeland  Security,  Health  and  Human  Services,  and  the 
Attorney  General  and  in  consultation  with  all  others  heads  of  relevant  executive 
departments  and  agencies....”296  Control  by  the  DNI  may  imply  the  development  of 
SBU  information  control  policies  that  may  be  more  restrictive  than  some  critics 
would  prefer.297 

There  have  been  proposals  to  establish  a  central  authority  elsewhere  in  the 
federal  government  to  develop  policy  and  guidelines  for  SBU  information  —  such 
as  in  OMB,  the  NARA’s  Information  Security  Oversight  Office  (ISOO),  the 
Interagency  Security  Classification  Appeals  Panel  (ISCAP),  or  within  the  judicial 
system.  For  instance,  a  report  released  in  December  2004  by  the  Heritage  Foundation 
and  the  Center  for  Strategic  and  International  Studies  concluded  that  centralization, 
perhaps  in  OMB,  could  assist  in  inventorying  which  information  might  be  sensitive 
and  in  developing  standardized  policies: 

To  date,  there  has  been  no  systematic  review  of  what  government  information 
that  is  now  or  was  formerly  in  the  public  domain  could  be  used  as  a  “terrorist 
roadmap,”  the  likelihood  of  such  a  threat,  the  role  that  such  information  would 
play  in  terrorists  ’  preparation  (including  possibilities  of  alternative  sources  of  the 
same  information),  and  the  countervailing  public  safety  and  other  benefits  of 
providing  different  types  of  information.  Furthermore,  no  authority  is  clearly 
designated  to  make  these  evaluations  at  a  national  policy  level.  Current 
evaluations  are  conducted  at  the  departmental  level  at  best  or  on  an  ad  hoc,  office 
by-office  basis.  Nor  has  DHS  provided  any  leadership  or  guidance  to  the  private 
sector  about  how  the  private  sector  might  develop  voluntary  standards  for 
making  decisions  about  its  own  disclosures  of  sensitive  information,  even 
without  governmental  restrictions.  For  government  decisions,  there  is  no  single 
designated  authority  —  in  the  Office  of  Management  and  Budget  or  elsewhere 
—  for  determining  the  overall  policy  interests  and  objectives  of  information 
distribution,  including  common  baseline  standards  to  help  weigh  the  benefits  and 
risks  of  providing  the  public  with  specific  types  of  information,  regardless  of 
which  agencies  possess  the  information.  Such  a  single  authority  might  act  as  the 


296  Guideline  3  of  “Guidelines  and  Requirements  in  Support  of  the  Information  Sharing 
Environment,”  Memorandum  for  the  Heads  of  Executive  Departments  and  Agencies,  White 
House  press  release,  Dec.  16,  2005,  op.  cit. 

297  While  the  DNI  is  to  coordinate  classified  information  programs,  the  function  reportedly 
will  include  coordinating  efficient  sharing  of  information  across  the  government.  See  Lance 
Gay,  “Government  Withholds  ‘Sensitive-but-Unclassified’  Information,”  Scripps  Howard 
News  Sendee,  Feb.  2,  2006. 
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overall  reviewer  of  agencies’  public  disclosure  policies  and  their  implementation 
of  these  policies....298 

Similarly,  Steven  Aftergood,  editor  of  Secrecy  News,  was  reported  to  have 
observed  that  federal  agency  actions  that  declare  SBU  information  exempt  from 
FOIA  may  need  better  policy  guidance  and  that  [i]t  may  ultimately  require  judicial 
action  or  congressional  intervention  to  define  clearer  standards  for  what  may  be 
withheld  and  what  must  be  disclosed.”299  A  2004  Federation  of  American  Scientists’ 
report  concluded  that  oversight  of  SBU  information  designations  and  policy  might 
benefit  from  coverage  in  ISOO  or  ISCAP.  It  recommended  that 

[t]he  President  could  direct  the  ISOO  to  expand  its  portfolio  to  encompass  such 
sensitive  but  unclassified  information,  though  to  be  effective  this  would  require 
an  infusion  of  new  personnel  and  resources  to  an  organization  that  is  stretched 
thin.  Similarly,  the  President  could  task  ISCAP  to  receive  and  evaluate 
challenges  to  controls  that  have  been  imposed  on  unclassified  information,  in 
addition  to  its  current  oversight  of  classified  information.  To  avoid  diluting  or 
diverting  the  efforts  of  these  existing  entities,  it  may  be  preferable  to  devise  a 
new  organization  or  interagency  panel  that  can  tackle  controls  on  unclassified 
information,  while  bolstering  the  work  already  being  performed  on  oversight  of 
classified  information.300 

An  Appeals  Process.  The  need  for  an  appeals  process  for  SBU  information 
has  been  stressed  by  critics  who  allege  that  the  SBU  labeling  system  is  more 
restrictive  than  federal  national  security  information  classification  systems.  For 
instance,  in  testimony,  Hammitt  contended  that  “...  remedies  to  challenge  the 
designation  of  such  information  must  be  made  available.  Requesters  must  not  be 
forced  to  go  to  court  as  their  only  alternative.  Instead,  a  process  akin  to  mandatory 
declassification  review  should  be  instituted.”  He  also  argued,  “Along  these  same 
lines,  time  limits  for  protection  should  be  considered  and  implemented.  Sensitive 
information  may  well  be  sensitive  for  a  period  of  time  and  lose  its  sensitivity 
thereafter.  Once  information  is  no  longer  sensitive  it  should  be  made  publicly 
available.  [The  National  Archives  usually  declassifies  most  material  after  25  years, 
except  for  nuclear-related  information.]  .”301  Gansler  and  Lucyshyn  recommended  that 
the  National  Archives  and  Records  Administration  develop  and  administer  an  appeals 
process  to  allow  individual  decisions  about  release  of  information  on  a  case-by-case 
basis.302 


298  Carafano  and  Heyman,  pp.  20-21. 

299  Joe  Fitzgerald  and  Antonia  Badway,  “Government  Secrecy  In  the  Age  of 
Information”  Biodefense  Quarterly,  Summer  2003,  p.  2. 

300  Flying  Blind:  The  Rise,  Fall,  and  Possible  Resurrection  of  Science  Policy  Advice  in  the 
US,  Federation  of  American  Scientists,  2004,  by  Henry  Kelly,  Ivan  Oelrich,  Steven 
Aftergood,  Benn  H.  Tannenbaum,  pp.  63-64. 

301  Harry  Hammitt  in  testimony  before  the  House  Subcommittee  on  National  Security, 
Emerging  Threats  and  International  Relations,  Mar.  2,  2005,  p.  8-9. 

302  The  Unintended  Audience:  Balancing  Openness  and  Secrecy,  op.  cit. ,  p.  iii. 
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Other  Remaining  Issues  and  Unanswered  Questions 

Policymakers  may  encounter  some  remaining  unanswered  questions.  For 
example,  is  communication  between  the  intelligence  community  and  the  scientific 
community  good  enough  to  enable  researchers  to  identify  information  that  should  be 
protected  to  prevent  terrorists  from  gaining  knowledge  to  harm  the  United  States? 
Do  SBU  controls  constitute  another  type  of  classification  system?  Just  how  much 
scientific  and  technical  information  is  being  withheld  under  various  SBU 
designations  and  how  has  such  withholding  affected  the  conduct  of  research  and 
development  and  the  use  of  scientific  and  technical  information  in  policymaking? 
Should  special  considerations  be  given  to  allow  access  to  scientific  and  technical 
information,  especially  that  produced  by  universities,  since  the  academic  sector  has 
a  unique  role  as  a  generator  of  knowledge  as  a  public  good  and  as  a  significant 
“engine”  of  industrial  innovation?  Will  DHS’s  SBU  controls  on  “developing 
technology  or  current  technology”  affect  information  generated  by  DHS-funded 
research  and  development  grants  and  contracts?  Can  risk-based  procedures  be  used 
effectively  to  control  access  to,  and  dissemination  of,  scientific  and  technical 
information,  and  can  they  effectively  balance  access  and  control?  Would  the  use  of 
risk-based  procedures  generate  control  procedures  different  from  those  used  in 
existing  SBU  information  control  systems?  What  is  the  cost  (administrative  and 
financial)  of  SBU  information  control  regimes,  the  actions  needed  to  implement 
them,  and  to  safeguard  SBU  information  indefinitely?  Would  there  be  a  significant 
difference  in  cost-effectiveness  calculations  for  implementing  risk-based  analysis 
procedures  versus  some  of  the  currently  used  SBU  procedures?  Should  there  be 
monitoring  of  the  use  and  effects  on  scientific  communication  of  governmental  and 
private  sector  voluntary  information  control  procedures?  Who  should  conduct  such 
monitoring? 

The  President,  the  Congress,  and  the  scientific  community  have  initiated  steps 
to  answer  some  of  these  questions.  The  ongoing  activities  —  to  inventory  agency 
activities,  to  oversee  agency  policies  and  procedures,  to  clarify  terminology,  and  to 
develop  professional  groups’  codes  of  conduct  and  voluntary  control  procedures  — 
may  foster  practices  that  are  compatible  with  the  continuous  growth  of  scientific 
knowledge  and  dynamics  in  the  emergence  of  new  threats.  Competing  stakeholder 
demands  will  continue  to  confront  Congress  and  the  executive  branch  as  policies  are 
refined  to  balance  security  and  access  to  scientific  information. 


CRS-76 


Appendix  A.  Illustrations  of  Federal  Agency 
Controls  on  Sensitive  Information 

The  following  information  illustrates  how  agencies  define  SBU  information  and 
the  procedures  they  use  to  control  it.303  Because  agency  policies  are  difficult  to 
obtain,  the  information  in  this  section  is  meant  to  be  illustrative  and  is  limited  to  what 
is  readily  accessible.  It  divides  agency  descriptions  into  four  categories:  (1)  Agencies 
that  use  the  definition  of  “sensitive”as  found  in  the  Computer  Security  Act;  (2) 
Agencies  that  use  FISMA  guidelines  or  risk-based  procedures  to  develop  information 
security  policies;  (3)  Agencies  that  mix  use  of  SBU  and  FISMA  concepts;  and  (4) 
Agencies  that  use  unique  definitions. 

Agencies  That  Use  the  Definition  of  “Sensitive”  as  Found  in 
the  Computer  Security  Act  (CSA) 

Some  agencies  use  the  CSA  definition  of  sensitive,  which  identifies  information 
based  on  its  content,  not  on  the  risk  of  release. 

Department  of  Homeland  Security  (DHS).  The  Department  of  Homeland 
Security  in  a  management  directive  applicable  within  the  agency,  released  first  in 
2004  and  then  revised  in  January  2005,  cited  the  CSA,  P.L.  100-235,  and  repeated 
the  law’s  now  rescinded  definition  of  “sensitive  information”  as  the  first  element  of 
policy  guiding  the  directive.  It  does  not  necessarily  endorse  use  of  this  definition  but 
says  that  “specific,  standard  criteria  and  terminology  defining  the  types  of 
information  warranting  designation  as  ‘sensitive  information’  does  not  exist  within 
the  federal  government.  Such  designations  are  left  to  the  discretion  of  each  individual 
agency.”304 

Office  of  Management  and  Budget  (OMB).  Appendix  HI,  “Security  of 
Federal  Automated  Information  Resources,”  of  OMB  Circular  A- 130,  Transmittal 
Memorandum  #4,  Management  of  Federal  Information  Resources,  which  is  dated 
November  28,  2000,  but  is  identified  on  the  OMB  website  in  November  2005  as  the 
current  circular,  references  the  CSA,  but  not  the  FISMA  Act.  The  appendix 
establishes  “a  minimum  set  of  controls  to  be  included  in  Federal  automated 
information  security  programs;  assigns  Federal  agency  responsibilities  for  the 
security  of  automated  information;  and  links  agency  automated  information  security 
programs  and  agency  management  control  systems  established  in  accordance  with 
OMB  Circular  No.  A- 123.”  Its  guidance  could  lead  to  confusion  because  while  it 
acknowledges  the  need  to  use  NIST-generated  risk-based  procedures  to  protect  all 
kinds  of  information  (not  only  sensitive  information),  it  says  that  “[t]he  Appendix  ... 
incorporates  requirements  of  the  Computer  Security  Act  of  1987  (P.L.  100-235)  and 


303  See  also,  GAO-06-385,  op.  cit.,  Relyea,  CRS  Report  RL33494,  op.  cit.,  and  National 
Security  Archive,  Pseudo-Secrets”  A  Freedom  of  Information  Act  Audit  of  the  U.,S. 
Government’ s  Policies  on  Sensitive  Unclassified  Information ,  op.  cit. 

304  MD 1 1042. l,p.  3. 
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responsibilities  assigned  in  applicable  national  security  directives”305  It  continues  to 
use  the  term  “sensitive”  and  references  CSA’s  requirements  for  agencies  to  protect 
computer  systems  containing  sensitive  information  and  the  Secretary  of  Commerce’s 
responsibilities  to  promulgate  standards  to  protect  sensitive  information.  Guidance 
issued  to  a  limited  CIO  readership  makes  explicit  reference  to  NIST’s  post-FISMA 
responsibilities  and  for  agencies  to  use  mandatory,  risk-based  security  standards 
issued  by  NIST. 

Department  of  the  Army.  The  Department  of  the  Army  uses  the  term 
“Controlled  Unclassified  Information  (CUI)  Not  Subject  to  Public  Disclosure”  as 
including  the  “categories  of  ‘for  official  use  only,’  ‘sensitive  but  unclassified,’  which 
formerly  was  called  ‘limited  official  use,’  ‘sea  sensitive  information,’  ‘DOD 
unclassified  controlled  nuclear  information,’  and  ‘sensitive  information’  as  defined 
in  the  Computer  Security  Act  of  1987. ”306  CUI  “  ...  includes  U.S.  information  that 
is  determined  to  be  exempt  from  public  disclosure  in  accordance  with  DOD 
Directives  5230.25  and  5400.7  or  that  is  subject  to  export  controls  in  accordance  with 
the  International  Traffic  in  Arms  Regulation  or  the  Export  Administration 
Regulation.”  For  example: 

These  types  of  information  include  but  are  not  limited  to:  patent  secrecy  data, 
confidential  medical  records,  inter-and  intra-agency  memoranda  that  are 
deliberative  in  nature,  certain  data  compiled  for  law  enforcement  purposes,  data 
obtained  from  a  company  on  a  confidential  basis  employee  personal  data, 
internal  rules  and  practices  of  a  government  agency  that,  if  released  would 
circumvent  agency  policy  and  impede  the  agency  in  the  conduct  of  its  mission; 
and  finally  technical  controlled  unclassified  information.307 

National  Security  Agency.  In  a  2003  document  that  appears  to  still  be 
active,  the  National  Security  Agency  used  the  CSA  definition  to  define  the  term 
“sensitive  information”  as  “information,  the  loss,  misuse,  or  unauthorized  access  to 
or  modification  of,  that  could  adversely  affect  the  national  interest  or  the  conduct  of 
federal  programs,  or  the  privacy  to  which  individuals  are  entitled  under  5  U.S.C. 
Section  552a  (the  Privacy  Act),  but  that  has  not  been  specifically  authorized  under 
criteria  established  by  an  Executive  Order  or  an  Act  of  Congress  to  be  kept  classified 
in  the  interest  of  national  defense  or  foreign  policy.”  Expanding  this  definition,  it 
said  “(Systems  that  are  not  national  security  systems,  but  contain  sensitive 
information,  are  to  be  protected  in  accordance  with  the  requirements  of  the  Computer 
Security  Act  of  1987  (P.L.  100-235).)”308 


305  Appendix  III,  “Security  of  Federal  Automated  Information  Resources,”  to  “OMB  Circular 
A- 130,  Transmittal  Memorandum  #4,  Management  of  Federal  Information  Resources 
(1 1/28/2000),”  op.  cit. 

306  “Controlled  Unclassified  Information  (CUI)”  powerpoint  slide  show,  produced  by 
Department  of  the  Army,  nondated,  available  at  [http://www.fas.org/sgp/othergov/dod], 

307  “Controlled  Unclassified  Information  (CUI)”  powerpoint  slide  show,  op.  cit., 

308  National  Security  Agency,  Committee  on  National  Security  Systems,  National 
Information  Assurance  (I A)  Glossary,  CNSS  Instruction  No.  4009,  Revised  May  2003,  pp. 
55-56  [http://www.nstissc.gov/Assets/pdf/4009.pdf]. 
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Centers  for  Disease  Control  and  Prevention  (CDC).  CDC’s  2005 
policy  on  SBU  information  was  issued  in  an  information  security  manual  on  July  22, 
2005. 309  Applicable  to  all  employees  and  contractors,  the  manual  covers  information 
“sensitive  enough  to  require  protection  from  public  disclosure  —  for  one  or  more 
reasons  outlined  under  the  exemptions  of  the  Freedom  of  Information  Act,  but  may 
not  otherwise  be  designated  as  national  security  information.”  It  identified  and 
defined  categories  of  “sensitive  but  unclassified”  information,  including  one  labeled 
“Computer  Security  Act  Sensitive  Information”  which  it  defined  as  in  the  CSA, 
which  it  cited  as  the  source.  The  other  categories  of  information  CDC  defined  as 
SBU  include  “Contractor  Access  Restricted  Information,”  “Controlled  Unclassified 
Information,”  “DEA  Sensitive,”  “Department  of  State  Sensitive  But  Unclassified,” 
“DOE  Official  Use  Only,”  “Export  Controlled  Information  (or  material),”  “For 
Official  Use  Only,”  “GSA  Sensitive  But  Unclassified  Building  Information,”  “Law 
Enforcement  Sensitive,”  “Operations  Security  Protected  Information,”  “Privacy  Act 
Protected  Information,”  “Select  Agent  Sensitive  Information,”  and  “Unclassified 
Controlled  Nuclear  Information.”  All  CDC  information  has  to  be  reviewed  for 
security  and  approved  before  release;  relevant  information  will  be  protected  and 
encrypted  for  electronic  transmittal,  and  some  aggregated  information  may  qualify 
as  SBU.  Violations  of  the  policy  may  result  in  civil  or  criminal  action.  Healthcare 
information  and  public  health  data  and  statistics  would  not  be  “potentially  sensitive.” 
This  policy  was  modified  in  2006  to  require  that  if  a  request  is  received  for  a 
document  marked  SBU,  it  should  be  reviewed  to  determine  whether  it  qualifies  for 
an  exemption  under  FOIA  and  withholding  from  release.310 

International  Boundary  and  Water  Commission  (USIBWC).  The  U  S. 

section  of  the  International  Boundary  and  Water  Commission  between  the  United 
States  and  Mexico  issued  a  directive  on  July  8,  2005,  that  establishes  a  policy  of 
“sensitive  information  protection.”  Sensitive  information  is  defined  similar  to,  but 
more  broadly  than,  the  definition  used  in  the  CSA  as 

unclassified  information  of  a  sensitive  nature  not  otherwise  categorized  by 
federal  statute  or  regulation  and  the  unauthorized  disclosure,  loss,  or  misuse  of 
which  could  adversely  impact  on  the  following;  a  persons’  privacy  or  welfare; 
the  conduct  of  federal  programs;  or  the  conduct  of  other  programs  or  operations 
essential  to  the  national  interest.311 

Among  the  types  of  information  to  be  treated  as  sensitive  are  information 
exempt  from  disclosure  under  FOIA  and  the  Privacy  Act,  information  technology 
information,  and  USIBWC  internal  security  measures,  including  emergency 
management  plans,  physical  security  plans  and  reports  that  disclose  facility 
infrastructure  or  security  vulnerabilities,  continuity  of  operations  plans,  risk 


309  Sensitive  Information  Protection  Manual,  attached  to  the  directive.  “Sensitive  But 
Unclassified  Information,”  Manual  Guide -Information  Security  CDC-02,  as  first  reported 
in  “CDC  Issues  Policy  on  Sensitive  But  Unclassified  Info,”  Secrecy  News,  Aug.  2,  2005. 

310  CDC,  Sensitive  But  Unclassified,  February  2006,  posted  at 
[http://www.fas.org/sgp/othergov/cdc-sbu-2006.html],  by  Steven  Aftergood,  Secrecy  News, 
Feb.  27, 2006. 

311  Sensitive  Information  Protection  Manned,  p.  1,  attached  to  the  directive. 
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management  plans,  and  accreditation  and  recertification  documentation.312  Such 
information  is  to  be  released  only  to  those  who  have  a  “need  to  know”,  protections 
are  required  for  storage  and  transmittal,  and  penalties  are  imposed  for  disclosure, 
including  suspension  and  removal. 

Idaho  National  Engineering  and  Environmental  Laboratory.  The 

Idaho  National  Engineering  and  Environmental  Laboratory,  funded  by  the 
Department  of  Energy  (DOE),  said  in  2003  that  DOE  in  its  1995  safeguards  and 
security  glossary  defined  “sensitive”  substantially  similar  to  the  way  it  is  defined  in 
the  CSA.  It  then  offered  a  definition  that  is  broader  than  the  one  in  the  CSA: 

Information  for  which  disclosure,  loss,  misuse,  alteration,  or  destruction  could 
adversely  affect  national  security  or  government  interests.  National  security 
interests  are  those  unclassified  matters  that  relate  to  the  national  defense  or 
foreign  relations  of  the  U.S.  government.  Governmental  interests  are  those 
related,  but  not  limited  to  the  wide  range  of  government  or  government-derived 
economic,  human,  financial,  industrial,  agriculture,  technological,  and  law 
enforcement  information,  as  well  as  the  privacy  or  confidentiality  of  personal  or 
commercial  propriety  information  provided  the  U.S.  government  by  its 
citizens.313 

Agencies  That  Use  FISMA  Guidelines  or  Risk-Based 
Procedures  to  Develop  Information  Security  Policies 

Some  agencies  use  clearly  identified  risk-based  or  FISMA-derived  guidelines 
to  develop  information  security  policies. 

Department  of  Health  and  Human  Services  (DHHS).  DHHS’s  policy 
guidance,  entitled  Information  Security  Program  Policy,  December  15,  2004, 3 14  and 
its  Information  Security  Program  Handbook,  November  12,  2004,  contain  policy 
and  implementation  plans  that  appear  to  conform  with  the  NIST  guidance  documents. 
They  specify  that  sensitive  information  that  is  not  subject  to  national  security  controls 
should  be  protected  by  a  process  that  includes  risk  assessments  that  incorporate  threat 
and  vulnerability  analyses  and  development  of  security  programs  according  to  the 
level  of  risk  involved.  The  authorities  cited  for  these  actions  do  not  refer  specifically 
to  homeland  security  guidance  materials,  but  instead  to  FISMA,  the  Clinger-Cohen 
Act,  the  Information  Technology  Management  Reform  Act  (Division  E  of  P.L.  104- 
106),  and  OMB  Circular  A-130.315  DHHS  said  it  also  incorporates  the  requirements 
specified  in  relevant  executive  orders,  Homeland  Security  Presidential  Directives, 
NIST  Special  Publications,  and  so  forth.  In  the  DHHS  documents,  implementation 
procedures  include  background  checks  for  accessibility  to  sensitive  information, 
nondisclosure  agreements,  protection  and  encryption  procedures,  and  so  forth.  These 
documents  apply  to  information  systems,  including  hardware,  software,  and  data  on 


312  Manual,  op.  cit.,  p.  3. 

313  Griffin,  Apr.  2003,  op.  cit. 

314  HHS  IRM  Policy  2004-002.001. 

315  HHS  IRM  Policy  2004-002.001,  pp.  1,  2. 
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them  of  any  sensitivity  or  classification.316  Use  of  these  concepts  replaces  the  use  of 
the  term  “sensitive”  and  of  the  CSA  concepts,  which  DHHS  appears  to  have  halted 
in  2004.317 

Military  Joint  Futures  Laboratory.  The  Military  Joint  Futures  Laboratory 
of  the  U.S.  Joint  Forces  Command  is  conducting  a  study  of  implementation  of  SBU 
information  policies  and  procedures  in  military  programs.  Pursuant  to  DOD 
guidance,  “All  DOD  unclassified  information  must  be  reviewed  before  it  is  released 
to  the  public  or  to  foreign  governments  and  international  organizations.”318  That 
which  is  not  released  in  accordance  with  national  laws,  policies,  and  regulations  of 
the  originating  country319  shall  be  stamped  FOUO  and  access  control  and  protection 
procedures  applied.  These  kinds  of  information  include,  but  are  not  limited  to,  For 
Official  Use  Only,  Law  Enforcement  Sensitive,  Sensitive  But  Unclassified,  Limited 
Official  Use  Only,  and  Limited  Distribution.320  According  an  information  security 
analyst,  “controlled  unclassified  information”  (CUI)  lacks  a  clear  definition,  policy 
guidance,  or  central  authority  to  develop  and  mandate  control  policies.  Only  the 
originator  of  the  information  can  authorize  disclosure  or  release.  He  suggests  using 
NIST  documents  and  guidance  to  identify  CUI  and  to  conduct  threat  and 
vulnerability  analysis  for  information.321 


316  Information  Security  Program:  Information  Security  Program  Handbook,  Nov.  12,2004, 
pp.  1,  32,  and  Information  Security  Program:  Information  Security  Program  Policy,  Dec. 
15,  2004,  p.  1. 

317  DHHS  still  referred  to  the  Computer  Security  Act  in  its  now  superceded  2005  update  of 
its  Automated  Information  Systems  Security  Programs  Handbook  to  note  that  sensitive 
unclassified  agency  information  should  be  given  the  security-level  designation  “high 
sensitivity”  (the  two  lower  are  “low”  and  “moderate”)  and  should  use  the  next  highest  level 
of  “high  and  national  security  interests”  if  the  loss  of  it  could  adversely  affect  national 
security  interests.  DHHS  is  also  developing  a  new  Automated  Information  Technology 
Security  Program  to  “document  and  evaluate  the  existence  and  reliability  of  the  Automated 
Information  System  Security  Program  at  selected  operating  divisions.  This  program  helps 
to  protect  information  resources  in  compliance  with  the  Computer  Security  Act  of  1987  and 
the  directives  of  OMB  and  the  National  Institute  of  Standards  and  Technology.”  It  used  the 
CSA  definition  of  sensitive  in  DHHS  Automated  Information  Systems  Security  Program 
Handbook,  available  at  [http://wwwoirm.nih.gOv/policy/aissp.html#OverviewII],  This 
handbook  was  superceded  by  the  2004  documents  identified  in  the  text  above.  Reference 
to  protection  of  information  resources  in  compliance  with  the  CSA  and  use  of  the  term 
“sensitive”  appears  to  have  ceased  after  last  used  in  HHS/OG  Fiscal  Year  2005  Work  Plan 

—  Department-wide,  p.  5,  http://oig.hhs.gov/publications/docs/workplan/2005 
/2005WPDptwd.pdf. 

318  “Information  Security  Challenge  for  J9  Marking  Controlled  Unclassified  Information 
(CUI),  [Slide  show],  by  Bob  Craig,  INFOSEC  Policy  Analyst  Briefing  to  the  Joint  Concept 
Development  Pathway,  as  of  Mar.  18,  2005. 

319  Craig,  Slides,  Mar.  18,  2005. 

320  Appendix  3:  “Controlled  Unclassified  Information,”  of  Interim  Information  Security 
Guidance,  Apr.  16,  2004,  on  changes  to  DOD  Regulation  5200. 1-R,  Jan.  1997. 

321  Interviews  of  Robert  Craig,  January  and  March  2005  and  Craig,  Slides,  Mar.  18,  2005. 
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Information  Sharing  and  Analysis  Centers  (ISAC).  ISACs  are  private 
organizations  that  collect,  distribute,  analyze,  and  share  sensitive  information 
regarding  threats,  vulnerabilities,  alerts  and  best  practices  to  protect  national  critical 
infrastructures  in  fields  such  as  chemistry,  electricity,  energy,  financial  services, 
healthcare,  information  technology,  public  transit,  surface  transportation, 
telecommunications,  and  water,  physical,  and  cyber  security  critical  infrastructures.322 
They  were  established  in  response  to  Presidential  Directive  63,  1998,  which 
mandated  that  the  public  and  private  sectors  share  information  about  physical  and 
cyber  security  threats  and  vulnerabilities  to  help  protect  U.S.  critical  infrastructures. 
The  directive  was  updated  by  Homeland  Security  Presidential  Directive  7  in  2003. 

The  ISAC  information  sharing  process  developed  a  categorization  scheme  for 
unclassified  government  data,  as  well  as  data  originating  from  ISAC  members, 
“based  upon  level  of  sensitivity.”  Vetting  of  the  data  is  to  address  four  levels.  The 
most  restrictive  is  “Privileged  Information/Restricted  Use  (Level  3)  -  Information  that 
should  only  be  distributed  to  individuals  who  must  act,  analyze,  or  make  decisions 
based  on  the  data.  Distribute  only  to  individuals  with  Level  3  Background  check. 
This  should  include  Government  ‘Sensitive  But  Unclassified’  information  and 
similar  very  close-hold  information.”323  A  level  3  background  check  “[requires  10 
years  of  history  immediately  prior  to  the  background  check.  Includes  felony  checks 
from  all  jurisdictions  in  which  subject  readied  during  period.  Includes  scan  of 
additional  databases,  and  personal  interviews.  Requires  recertification  every  three 
years.”324 

Agencies  That  Mix  Use  of  CSA  and  FISMA  Concepts 

Agencies  that  use  mixed  models  of  the  CSA  definition  and  risk-based  guidelines 
include  USDA  and  a  DOE-affiliated  agency. 

U.S.  Department  of  Agriculture.  The  Department  of  Agriculture  (USDA) 
promulgated  regulations  requiring  its  constituent  agencies  to  issue  criteria  and 
directives  to  identify  “sensitive  security  information,”  defined  as  unclassified 
information  that  if  publicly  disclosed  could  be  expected  to  have  a  “harmful  impact 
on  the  security  of  person,  place,  or  property.”  Among  the  science  and  technology- 
related  “USDA  SSI  possibilities”  it  identified  “building  vulnerabilities,  ...  select 
agent  pathogen  locations,  ...  USDA  computer  infrastructure  details,  rural 
development  management  control  review  that  reveal  vulnerabilities,  ...  the  ARS 
report  Strategic  Research  Targets  to  Potential  American  Livestock  and  Poultry  from 
Biological  Threat  Agents, ...  security  assessment  of  USDA  Non-BSL-03  laboratories, 
[and]  local  pathogen  inventories  for  USDA  non-BSL-3  laboratories....”325  Such 
information  should  be  identified  and  protected  after  an  informal  “...  risk  analysis  and 
determination  to  identify  potential  threats  and  appropriate  vulnerabilities  to  SSI  in 


322  “Vetting  and  Trust  for  Communications  Among  ISACs  and  Government  Entities,”  ISAC 
Council  White  Paper,  Jan.  31,  2004,  pp.  5,  6,  8. 

323  “Vetting  and  Trust  for  Communications  Among  ISACs....,”  pp.  5-6. 

324  “Vetting  and  Trust  for  Communications  Among  ISACs....,”  p.  6. 

325  Slide  show,  “USDA  Sensitive  Security  Information,  DR3440-2,  April  2004.” 
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their  custody.”  326  Only  those  who  have  a  “need  to  know”  are  to  have  access  to  SSI. 
Need-to-know  determinations  are  to  be  made  by  an  authorized  holder  of  SSI  who 
attests  that  a  prospective  recipient  requires  access  to  perform  or  assist  in  a  lawful  and 
authorized  governmental  function.  Information  designated  “SSI”  should  be  protected 
no  longer  than  10  years,  unless  a  designating  official  determines  otherwise.  SSI 
information  is  releasable  under  FOIA,  but  requests  for  such  information  should  be 
processed  in  accord  with  the  October  10, 2001  Attorney  General’ s  memorandum  and 
should  consider  use  of  FOIA  exemptions  two,  three,  four,  and  seven.327 

On  February  17,  2005,  USDA  promulgated  a  protection  policy  for  SBU 
information,  which  is  different  from  SSI  because  it  “contains  information  that  is  not 
security-related  but  is  still  sensitive  in  terms  of  its  risk  of  exposure.”328  This 
information  is  to  be  protected  and  encrypted  for  transmittal  in  accord  with  OMB 
Circular  A- 130  and  NIST  guidance,  some  of  which  is  specified.  All  employees  and 
contractors  with  a  “need  to  know”  must  sign  a  nondisclosure  agreement  and  are 
subject  to  penalties  of  noncompliance.  Information  may  be  processed  for  FOIA 
claims,  but  it  should  be  considered  for  protection  in  light  of  the  Attorney  General’s 
memorandum.  SBU  is  defined  as  in  CSA,  but  without  identifying  the  source  as  the 
CSA.329 

Western  Area  Power  Administration  (WAP A).  The  Western  Area  Power 
Administration,  (WAPA),  an  entity  of  the  U.S.  Department  of  Energy,330  issued 
guidance  for  handling  sensitive  information  that  it  said  conforms  with  Department 
of  Energy  policy.331  “OUO  information,”  it  declared,  “must ...  be  unclassified;  could 
be  used  to  damage  government,  commercial  or  private  interests;  [and]  be  exempt 


326  “USDA,  “Departmental  Regulation  Number:  3440-002  Subject:  Control  and  Protection 
of  “Sensitive  Security  Information,”  at  [http://www.fas.org/sgp/othergov/usda3440-02]. 
Although  risk  analysis  is  required,  no  reference  was  made  to  using  NIST-promulgated 
security  standards  or  methodology  to  determine  risk  level  and  security  level. 

327  Regulation  3440-002,  op.  cit. 

328  “Sensitive  But  Unclassified  (SBU)  Information  Protection,”  Chapter  10,  Part  2,  DM 
3550-002,  Feb.  17,  2005. 

329  “Conditional  Access  to  USDA  Sensitive  but  Unclassified  Information,”  Nondisclosure 
Agreement.  Attached  to  DM  3550-002. 

330  According  to  WAPA,  “Western  Area  Power  Administration  markets  and  delivers  reliable, 
cost-based  hydroelectric  power  and  related  services  within  a  15-state  region  of  the  central 
and  western  U.S.  We’re  one  of  four  power  marketing  administrations  within  the  U.S. 
Department  of  Energy  whose  role  is  to  market  and  transmit  electricity  from  multi-use  water 
projects.  Our  transmission  system  carries  electricity  from  55  hydropower  plants  operated 
by  the  Bureau  of  Reclamation,  U.S.  Army  Corps  of  Engineers  and  the  International 
Boundary  and  Water  Commission.”  Available  at  [http://www.wapa.gov/about/default.htm], 

331  This  was  identified  as  “WAPA  P  471.1,  “Identifying  and  Protecting  Official  Use  Only 

Information,”  that  states  Western’s  intent  to  follow  DOE  Order  471.3,  “Identification  and 
Protection  of  Official  Use  Only  Information”(Susan  DeBelle,  “  ‘Official  Use’  Info  Requires 
Special  Care,”  Closed  Circuit,  May  28,  2004,  vol.  26,  no.  11, 

[http://www.wapa.gov/newsroom/cct/2004/may28/26nol  14.htm]). 
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from  disclosure  under  the  Freedom  of  Information  Act.”332  All  such  documents  must 
be  marked  and  protected  as  directed  “in  the  DOE  Manual  for  Identifying  and 
Protecting  Official  Use  Only  Information ,”333  Even  information  releasable  under 
FOIA  should  be  protected  if  it  is  sensitive  (such  as  “total  flow  on  a  specified 
grouping  of  transmission  lines  maps  and  environmental  impact  statements  that  were 
previously  posted  on  the  Internet.”)  Specifically,  for  such  information,  it 
recommends  posting  “  a  summary  of  the  information  on  the  Internet;  or  providing] 
information  that  will  enable  a  reader  to  request  a  copy  of  the  document.  This  will 
give  you  an  opportunity  to  determine  whether  or  not  the  requester  has  a  legitimate 
need  for  the  material.”334  Protections  should  be  applied  to  information  that  meets 
certain  criteria,  including  the  technology-related  dimensions  of  whether  it  contains 
“details  about  critical  operating  facilities,  systems  or  vulnerabilities”;  could  have 
questionable  impacts  if  “it  inadvertently  reached  an  unintended  audience”;  could 
provide”details  concerning  physical  or  cyber  security  measures”;  could  be 
“dangerous  if  it  were  used  in  conjunction  with  other  publicly  available  information”; 
could  be  used  “to  target  Western  staff,  facilities  or  operations”;  or  could  “increase  the 
attractiveness  of  a  critical  infrastructure  asset  as  a  target.”335 

Agencies  That  Use  Unique  Definitions 

Some  agencies  have  developed  their  own  definitions  of  sensitive  information 
that  do  not  reference  either  the  CSA  or  NIST-based  standards. 

Department  of  Defense.  DOD  uses  the  following  definition  for  SBU:  For 
“[ajccess  within  the  Department  of  Defense,  the  criteria  for  allowing  access  to  SBU 
information  are  the  same  as  those  used  for  FOUO  information,  except  that 
information  received  from  the  Department  of  State  marked  SBU  shall  not  be 
provided  to  any  person  who  is  not  a  U.S.  citizen  without  the  approval  of  the 
Department  of  State  activity  that  originated  the  information.”336  “For  official  use 
only”  information  is  for  unclassified  information  and  “is  applied  to  information  that 
may  be  exempt  under  one  or  more  of  the  other  eight  exemptions  [to  FOIA,  the  first 
exception  is  for  classified  information].”337  However,  marking  it  FOUO  does  not 
automatically  qualify  it  for  an  exemption  from  FOIA.  Access  is  granted  to  those  with 


332  DeBelle,  op.  cit. 

3  3  3  The  manual  expires  Apr.  9,  2007,  according  to 

[http://oml.gov/doe/doe_oro_dmg/doectrlfrms.htm].  It  is  not  readily  available  to  permit 
review  if  it  contains  definitions  of  sensitive. 

334  DeBelle,  op.cit. 

335  DeBelle,  op.  cit. 

336  “Interim  Guidance  on  Safeguarding  and  Controlled  Unclassified  Information,”  Attached 
to  Interim  Information  Security  Guidance,  ”  from  Stephen  A.  Cambone,  Undersecretary  of 
Defense,  Memo  for  Secretaries  of  the  Military  Departments,  et  al.,  Apr.  16,  2004,  p.  6. 

337  Attachment  to  Cambone,  op.  cit.,  p.  2. 
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a  need  for  such  access,  and  such  information  should  be  stored  in  locked  files  and 
unauthorized  disclosure  will  be  punished  by  “appropriate  disciplinary  action.”338 

Department  of  the  Army.  The  Department  of  the  Army  uses  the  term 
“Technical  controlled  unclassified  information,”  pursuant  to  P.L.  98-94,  for  data 
“that  disclose  critical  technology  with  military  or  space  applications.  This  includes 
any  blueprint,  drawing,  plan,  instruction,  computer  software  and  documentation,  or 
other  technical  information  that  can  be  used  or  be  adapted  to  design,  engineer, 
produce,  manufacture,  operate,  repair,  overhaul,  or  reproduce  any  military  or  space 
equipment  or  technology  concerning  such  equipment.”339 

Department  of  Energy.  The  DOE  uses  the  term  “official  use  only”  for 
“sensitive”  information  that  is  unclassified.  As  one  of  its  responses  to  the 
recommendations  of  the  Commission  on  Science  and  Security  in  the  21st  century,  the 
DOE  said  it  prepared  “...a  new  Official  Use  Only  (OUO)  Information  Order 
[completed  in  June  2002  and  current  through  April  2007],  aimed  at  addressing  the 
issue  of  ‘Sensitive,  But  Unclassified  Information’  through  the  establishment  of  three 
information  types  (classified,  unclassified  and  Official  Use  Only.)”340  “To  be 
identified  as  OUO,  information  must  be  unclassified;  have  the  potential  to  damage 
governmental,  commercial,  or  private  interests  if  disseminated  to  persons  who  do  not 
need  to  know  the  information  to  perform  their  jobs  or  other  DOE-authorized 
activities”  and  fall  under  at  least  one  of  FOIA  exemptions  two  through  nine,  Access 
to  documents  marked  OUO  is  limited  to  persons  who  need  it  to  perform  their  jobs  or 
other  DOE-authorized  activities.  Documents  need  to  be  protected  as  described  in 
DOE  M  471.3-1,  and  administrative  penalties  may  be  imposed  on  DOE  employees 
for  improperly  marking  or  releasing  a  OUO  document.  These  provisions  are 
applicable  to  all  DOE  elements  and  contractors.341  An  official  with  DOE’s 
Safeguards  and  Security  Policy  staff  interpreted  DOE’s  rules  with  respect  to  SBU 
science  and  technology  information,  which,  he  said,  encompasses  such  things  as 
“facilities,  personnel,  programs,  materials,  security,  safety  assessment, 
vulnerabilities,  and  the  sensitive  subjects  list.”342  Officials  charged  with  categorizing 
information  are  to  take  the  following  “considerations”  into  account  when  deciding 
if  information  is  sensitive:  “suitability  —  what  does  it  do  for  the  person, 
organization.  Department;  sensitivity  —  how  can  it  be  used  by  an  adversary?;  risk 


338  Attachment  to  Cambone,  op.  cit.,  pp.  3-4. 

339  “Controlled  Unclassified  Information  (CUI)”  powerpoint  slide  show,  produced  by 
Department  of  the  Army,  op.  cit. 

340  DOE,  “Commission  on  Science  and  Security  in  the  21st  Century,  DOE  accompanied  by 
Recommendations,”  June  20,  2002.  The  statement  referenced  the  DOE  document  Subject: 
Identifying  and  Protecting  Official  Use  Only  Information,  DOE  Order  M  471.3-1,  Apr.  9, 
2003  (which  is  current  through  Apr.  2007). 

341  See  also  “Subject:  Identifying  and  Protecting  Official  Use  Only  Information,”  DOE  Order 
O  47 1 .3,  Apr.  9, 2003.  See  also  “Identifying  and  Protecting  Official  Use  Only  Information,” 
pp.  4,  6  in  DOE  Information  Classification  and  Control  Policy  Communique,  Feb.  2004. 

342  Ray  Holmer,  “Sensitive  Information  on  the  Web,  an  Information  Security  Perspective,” 
STIP  Meeting  May  1 ,  2003 . 
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—  what  are  the  chances  of  an  adversary  using  the  information?;  consequences  — 
what  could  happen  if  an  adversary  used  the  information?”343 

DOE  also  maintains  a  Sensitive  Subjects  List,  used  largely  by  affiliated  national 
laboratories,  that  identifies  sensitive  information  deemed  significant  to  U.S.  national 
security.  It  is  an  internal  DOE  list  to  be  used  to  identify  fields  that  require  a  U.S. 
export  license  for  a  foreign  national.  Topics  included  relate  to  nuclear  weapons  and 
nuclear  fuel  cycle,  rockets,  missiles,  and  delivery  systems;  conventional  arms  and 
other  defense-related  technology;  chemical  and  biological  weapons;  advanced 
scientific  computers  and  software;  and  business  sensitive  (proprietary)  information.344 

Nuclear  Regulatory  Commission.  The  Nuclear  Regulatory  Commission 
issued  rules  for  “Safeguards  Information”  (SGI)  —  that  is,  unclassified  sensitive 
information  deemed  too  sensitive  for  public  release.  The  proposed  rule,  issued  in 
February  2005,  said  that  SGI  needs  to  be  protected  from  unauthorized  disclosure 
under  section  147  of  the  Atomic  Energy  Act  of  1954  as  amended.  The  proposed  rule 
expanded  the  scope  of  information  included  and  made  more  rigorous  standards  and 
requirements  for  background  checks  and  fingerprinting  for  those  who  have  a  “need 
to  know”  to  see  the  information.345  The  definition  was  promulgated  in  a  release 
issued  on  May  11,  2005:  “While  SGI  is  considered  to  be  sensitive  unclassified 
information,  its  handling  and  protection  more  closely  resemble  the  handling  of 
classified  confidential  information  than  other  sensitive  unclassified  information.”346 
“Sensitive  unclassified  information,”  according  to  NRC, 

is  generally  not  publicly  available  and  encompasses  a  wide  variety  of  categories 
(e.g.,  personnel  privacy,  attorney-client  privilege,  confidential  source,  etc.). 
Information  about  a  licensee’s  or  applicant’s  physical  protection  or  material 
control  and  accounting  program  for  special  nuclear  material  not  otherwise 
designated  as  Safeguards  Information  or  classified  as  National  Security 
Information  or  Restricted  Data  is  required  by  10  CFR  2.390  to  be  protected  in  the 
same  manner  as  commercial  or  financial  information,  i.e.,  they  are  exempt  from 
public  disclosure.347 

Federal  Energy  Regulatory  Commission.  The  Federal  Energy 
Regulatory  Commission  (FERC)  issued  a  final  rule  outlining  access  procedures  to 
critical  energy  infrastructure  information  (CEII),  an  SBU  category  it  uses.  CEII  is 
technical  information  submitted  from  companies  and  utilities  during  regulatory 
proceedings.  Before  September  11,  2001  most  of  this  information  was  made  public. 


343  Holmer,  op.cit. 

344  DOE  Sensitive  Subjects  List  (revised  June  2001),  available  at 
[http://www.llnl.gov/expcon/SSL.pdf]. 

345  Nuclear  Regulatory  Commission,  “Protection  of  Safeguards  Information,”  Proposed 

Rule,  Federal  Register,  Feb.  11,  1005,  pp.  7196-7217,  cited  in  “NRC  Proposes  New  Rule 
on  Unclassified  Safeguards  Info,”  Secrecy  News,  Feb.  11,  2005, 

[http://www.fas.org/sgp/news/2005/02/fr021 105.html], 

346  NRC  “Information  Security,”  May  1  1,  2005,  available  at 

[http://www.nrc.gOv/what-we-do/safeguards/info-security.html#safe]. 

347  “Information  Security,”  May  11,  2005. 
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FERC’s  position  is  that  CEE  includes  only  information  that  is  exempt  from 
disclosure  under  FOIA.  It  also  said  it  developed  a  process  to  allow  requests  to  be 
made  for  information  that  is  not  already  publicly  available  under  FOIA,  but  also  will 
keep  sensitive  infrastructure  information  out  of  the  public  domain  in  order  to  help 
deter  terrorist  attacks.  The  rule  noted  that  the  FOIA  exemptions  most  likely  to  apply 
to  CEE  are  exemptions  two,  four,  and  seven.348 


Appendix  B.  Illustrations  of  Federal  Information 
Systems  Created  to  Transmit  Sensitive  But 
Unclassified  Information 

Federal  agencies  have  started  to  develop  information  systems  to  share  SBU 
information  and  data  among  themselves  and  with  state  and  local  first  responders. 
Some  of  these  were  mandated  by  statute.  The  major  legal  authorities  include  the 
Homeland  Security  Information  Sharing  Act,  section  892  of  P.F.  107-296,  which 
required  the  development  of  information  sharing  procedures  for  certain  types  of 
homeland  security  information;  Homeland  Security  Presidential  Directive  (HSPD-7), 
which  required  DHS  to  produce  a  national  infrastructure  protection  plan  summarizing 
initiatives  to  share  information  among  public  and  private  sectors;  the  issuance  in 
August  2004  of  executive  orders  to  strengthen  terrorism  information  sharing 
standards,349  establishment  of  a  National  Counterterrorism  Center;350  as  well  as 
passage  in  December  2004  of  the  Intelligence  Reform  and  Terrorism  Prevention  Act 
of  2004,  P.F.  108-458,  which  required  the  establishment  of  an  information- sharing 
environment  (ISE)  and  ISE  council  to  exchange  terrorism  information  among  pubic 
and  private  entities. 

Government  Accountability  Office  (GAO)  Inventory 

The  GAO  reported  to  Congress  in  September  2004351  that  its  survey  showed  that 
nine  federal  agencies352  had  developed  34  networks  to  share  information  in  support 
of  homeland  security  functions.  These  include  networks  such  as  DHS’s  Critical 
Infrastructure  Warning  Information  Network  (CWIN).  Five  agencies,  DHS,  DOD, 
DOJ,  State,  and  Treasury  managed  18  networks  (17  operational  and  one  in 
development)  for  SBU  information.  (SBU  “is  a  generic  term  used  to  describe 
unclassified  information  that  is  (1)  not  required  by  law  to  be  made  available  to  the 


348  “Federal  Energy  Regulatory  Commission,  Critical  Energy  Infrastructure  Information,” 
Feb.  21,  2003.  Federal  Register,  Mar.  3,  2003,  vol.  68,  no.  41,  pp.  9857-9873.  For 
secondary  analysis,  see  [http://www.openthegovernment.Org/article/articleview/50/l/16]. 

349  E.0. 1 3356,  “Strengthening  the  Sharing  of  Terrorism  Information  to  Protect  Americans,” 
Aug.  27,  2004. 

350  E.O.  13354,  “National  Counterterrorism  Center,”  Aug.  27,  2004. 

351  Government  Accountability  Office,  Information  Technology:  Major  Federal  Networks 
That  Support  Homeland  Security  Functions,  Sept.  2004,  GAO-04-375. 

352  Departments  of  Agriculture,  Defense,  Energy,  Health  and  Human  Services,  Homeland 
Security,  Justice,  State,  Treasury,  and  the  Environmental  Protection  Agency,  pp.  50-51. 
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public,  and  (2)  sufficiently  sensitive  to  restrict  access  from  public  disclosure,  but  not 
sensitive  enough  to  warrant  a  classified  designation.”353)  Of  these,  1 1  were  networks 
that  shared  information  internally  only  within  an  agency,  2  were  networks  that  shared 
information  only  with  other  federal  agencies,  and  5  networks  shared  information  with 
state  and  local  government  agencies  or  the  private  sector.354 

Most  of  the  systems  permit  information  dissemination  on  a  “need-to-know” 
basis.  GAO  catalogued  many  of  these  requirements  and  responses  in  its  report  High 
Risk  Series:  An  Update,  released  in  January  2005. 355  See  also  the  aforementioned 
CRS  Report  RL32597. 

Other  Federal  Information  Systems 

Since  the  GAO  inventory,  additional  information  systems  have  been  identified 
that  exchange  SBU  information.356  For  instance,  DHS  is  developing  a  “Homeland 
Security  Information  Network”  that  will  utilize  the  Joint  Regional  Information 
Exchange  to  share  SBU  and  classified  information  with  state  and  local  personnel  and 
the  private  sector.  It  was  reported  in  February  2004  that  there  were  about  1,000 
users.357  Other  networks  over  which  SBU  information  exchange  occurs  include  the 
“Unclassified  but  Sensitive  Internet  Protocol  Router  Network,”  a  government 
network  between  DOD  users;358  and  the  “Terrorist  Threat  Integration  Center  (TTIC) 
TTIC  Online  system,”  a  DHS  information  network  for  disseminating  classified 
domestic  and  international  terrorist  information  from  14  U.S.  government  agencies, 
which  is  “being  updated  to  support  collaboration  and  information  sharing  at  varying 
levels,  from  Top  Secret  to  Sensitive  But  Unclassified.”359  There  is  also  the  “Multi- 
State  Anti-Terrorism  Information  Exchange”  (MATRIX),  aregional  system  covering 
13  states,  including  Alabama,  Connecticut,  Florida,  Georgia,  Kentucky,  Louisiana, 
Michigan,  New  York,  Oregon,  Pennsylvania,  South  Carolina,  Ohio,  and  Utah,  which 
exchanges  “sensitive  terrorism-related  information  among  members  of  the  law 
enforcement  community.”360 


353  Information  Technology:  Major  Federal  Networks ,  op,  cit.,  p.  12. 

354  Information  Technology:  Major  Federal  Networks ,  op.  cit.,  p.  31. 

355  GAO  05-207,  op.  cit.,  pp.  15-20. 

356  For  additional  details  on  these  types  of  information  sharing  systems,  see  Relyea  and 
Seifert,  op.  cit. 

357  “Homeland  Security  Information  Network  to  Expand  Collaboration,  Connectivity  for 
State  and  Major  Cities,”  DHS  press  release,  Feb.  24,  2004. 

3  5  8  Discussing  an  Inspector  General  Report  on  this  topic: 
[http  ://www .  stormingmedia.us/7 6/76 1 5/A76 1 5  8 3 .  html] . 

359  Statement  for  the  Record  of  John  O.  Brennan,  Director  Terrorist  Threat  Integration 
Center  on  “The  Homeland  Security  Advisory  System:  Improving  Preparedness  Through 
Effective  Warning  before  the  House  Select  Committee  on  Homeland  Security,”  Feb.  4, 
2004. 

360  “State  of  Georgia  Homeland  Security  Bulletin  on  MATRIX,”  Aug.  1,  2003,  Georgia’s 
Homeland  Security  Bulletin  No.  20-03. 
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The  Federal  Bureau  of  Investigation  in  the  Justice  Department  uses  a  system 
called  “Law  Enforcement  Online  (LEO),  a  virtual  private  network  that  reaches 
federal,  state,  and  law  enforcement  agencies  at  the  Sensitive  but  Unclassified  (SBU) 
level.”361  It  also  “has  secure  connectivity  to  the  Regional  Information  Sharing 
Systems  network  (riss.net).”  Reportedly,  LEO  has  about  30,000  users,  including 
state  and  local  law  enforcement  members.  “LEO  makes  finished  FBI  intelligence 
products  available,  including  Intelligence  Assessments  resulting  from  analysis  of 
criminal,  cyber,  and  terrorism  intelligence.”  The  system  also  provides  access  to 
“Intelligence  Information  Reports”  at  the  Law  Enforcement  Sensitive  classification 
level.  “[t]he  FBI  posted  the  requirements  document  on  LEO,  which  provided  state 
and  local  law  enforcement  a  shared  view  of  the  terrorist  threat  and  the  information 
needed  in  every  priority  area.”  Reportedly,  “The  FBI  will  use  an  enhanced  LEO  as 
the  primary  channel  for  sensitive  but  unclassified  communications  with  other  federal, 
state  and  local  agencies.  LEO  and  the  DHS  Joint  Regional  Information  Exchange 
System  (JRIES)  will  also  be  interoperable.” 

DHS  also  launched  a  system  in  April  2004  for  “state  and  local  emergency 
officials  across  the  country  ...  [to]  ...  trade  preparedness  tips,  training  ideas  and  best 
practices  right  from  their  desks  on  the  Lessons  Learned  Information  Sharing  system, 
LLIS....”362  Reportedly,  emergency  officials  will  have  to  complete  an  online 
authorization  process  to  view  the  site,  whose  content  “must  meet  DHS  standards  for 
‘sensitive,  but  unclassified  information....’” 

FEDTeDS 

In  addition  to  these  networks,  the  federal  government  created  FEDTeDS,  the 
Federal  Technical  Data  Solution.  It  is  a  way  to  transmit  and  disseminate  security- 
sensitive  or  sensitive  but  unclassified  acquisition  material  related  to  solicitations 
found  in  FedBizOpps.gov  [http://www.fedbizopps.gov]  ,363  It  is  a  collaborative  effort 
among  agencies,  led  by  DOD,  the  Coast  Guard,  and  the  Integrated  Acquisition 
Environment  (IAE)  eGovernment  initiative  under  the  President’s  Management 
Agenda.  Vendors  are  to  use  this  system  to  prepare  sensitive  information  in  bids  or 
proposals.  Such  information  can  include  specifications,  drawing  and  plans  for 
federal  installations,  schedules,  procedures,  and  so  forth.  More  than  90  federal 
agencies  are  reported  to  disseminate  SBU  acquisitions-related  materials  during  the 


361  Statement  of  Maureen  A.  Baginski,  Executive  Assistant  Director,  Intelligence,  Federal 
Bureau  of  Investigation,  before  the  House  of  Representatives  Select  Committee  on 
Homeland  Security,  Aug.  17,  2004. 

362  Caitlin  Harrington,  “DHS  Launching  Web  Page  for  Emergency  Officials  to  Trade  Tips,” 
Congressional  Quarterly  Homeland  Security,  May  15,  2004. 

363  According  to  Federal  Technical  Data  Solution  (FEDTeDS),  sensitive  data  with  respect 
to  the  solicitation  phase  of  procurement  via  the  Internet  includes  “information  related  to 
operations,  weapons  systems  and  plans,  transit  authority,  structures,  individuals  and  services 
essential  to  the  security  and  management  of  a  facility,  including  telecommunications, 
electrical  power,  building  facility  structure  layout.  Gas  and  oil  storage/transportation,  water 
supply,  emergency  services,  and  the  continuity  of  operations”  (“Federal  Technical  Data 
Solution  (FedTeDS)  Providing  Federal  Agencies  a  System  to  Safeguard  ‘Sensitive  But 
Unclassified’  Acquisition  Information,”  IAE  Bulletin,  No.  4,  July  17,  2003). 
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solicitation  phase  of  procurement  via  the  Internet;  this  system  serves  approved  users. 
It  became  operational  on  February  19,  2003. 364 

Section  1016  (b)  of  P.L.  108-458,  the  National  Intelligence  Reform  Act  (S. 
2845,  H.Rept  108-796),  the  intelligence  overhaul  bill  responsive  to  the  9/11 
commission  report,  called  for  development  of  an  “information  sharing  environment” 
that  would  link  information  systems  and  allow  users  to  share  information  between 
agencies,  between  levels  of  government,  and  with  the  private  sector.  It  also 
mandated  a  principal  officer  and  executive  committee  to  create  rules  and  regulations 
to  implement  the  information  sharing  environment.  Reportedly,  DHS’s  Homeland 
Security  Advisory  Council  plans  on  releasing  a  report  that  calls  for  more  information 
exchanges  from  federal  to  state,  local,  and  private  sectors,  and  vice  versa.365 

The  aforementioned  GAO  High  Risk  Series  Report  concluded  that  despite  these 
kinds  of  efforts,  “a  great  deal  of  work  remains  ...  to  improve  homeland  security 
information  sharing,  including  establishing  clear  goals,  objectives,  and  expectations 
for  the  many  participants  in  information- sharing  efforts;  and  consolidated, 
standardizing,  and  enhancing  federal  structures,  policies,  and  capabilities  for  the 
analysis  and  dissemination  of  information.”366 


364  Lisa  Cliff,  “E-Gov  Corner:  FedTeDS  (Federal  Technical  Data  Solutions),”  Federal 
Acquisition ,  July  2003,  and  “Federal  Technical  Data  Solution  (FedTeDS)  Providing  Federal 
Agencies  a  System  to  Safeguard  ‘Sensitive  B  ut  Unclassified’  Acquisition  Information,”  IAE 
Bulletin  No.  4,  July  17,  2003.  See  also  “Business  Opportunities,”  Homeland  Security 
IntelWatch,  Mar.  1 1 ,  2004,  p.  1 . 

365  Joe  Fiorill,  “U.S.  Panel  Seeks  Broad  Information-Sharing  Changes  to  Improve 
Antiterrorism  Efforts,”  NTI,  Global  Security  Newswire,  Dec.  13,2004. 

366  GAO  05-207,  op.  cit.,  p.  20. 


